Agent Security Ops

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate security-auditing skill, but its default scan reaches into sensitive host areas outside the chosen repo without separate opt-in controls.

Install only if you want a broad local security audit, not just a repo secret scan. Treat its reports and .security-ops state as sensitive because they may include secret matches, local service details, SSH file paths, and repository metadata. Review scan output before sharing it, and use --fix-ssh only when you intentionally want it to chmod files under ~/.ssh.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The manifest markets the skill as secret-leak prevention for repos, yet the file documents broader system and account inspection. This mismatch undermines informed consent and makes the skill riskier because operators may run it in contexts where only repo-local access was expected.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Host-level and account-level inspection capabilities such as SSH auditing, shell-profile scanning, port enumeration, and git/GitHub remote checks exceed what many users would infer from a repo hardening tool. In security tooling, overbroad collection increases privacy risk and can expose credentials, local configuration, and service inventory unrelated to the target repo.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Scanning `$HOME`, Desktop, Downloads, and shell profiles reaches outside the user-specified repository boundary and can access unrelated secrets or personal files. That broader access materially increases the blast radius if results are logged, exfiltrated, mishandled, or viewed by an unintended party.

Intent-Code Divergence

Low

Confidence: 79% confidence
Finding: The FAQ says no API keys or external services are needed, but the documented GitHub visibility checks and TruffleHog verification can depend on external services or authenticated tooling. This is primarily a trust and accuracy issue: users may not expect outbound calls or external dependency on service availability.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script exceeds repository-scoped secret scanning and inspects host-level state including open ports, shell profiles, SSH configuration, and git remote metadata. Even if framed as security hygiene, this broad host inspection collects unrelated local-system information and increases privacy and data-exposure risk when run as an agent skill.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The open port scan enumerates listening services on the host, which is unrelated to repo secret scanning and reveals local service topology and possibly process metadata. In an agent-skill context, this broadens access from repository contents to host reconnaissance, which may expose sensitive operational details.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script reads shell startup files in the user's home directory and searches for loose .env files in $HOME, Desktop, and Downloads. This accesses data outside the repository boundary and may expose secrets, filenames, and personal environment configuration unrelated to the intended scan target.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Auditing ~/.ssh and enumerating private key file permissions accesses highly sensitive credential locations on the host. Even though the script mainly checks metadata, it still probes security-critical files outside repo scope and reports details that could aid credential targeting or disclose workstation setup.

Context-Inappropriate Capability

Low

Confidence: 80% confidence
Finding: The script uses gh api to query GitHub repository visibility over the network, causing external network interaction beyond local repo scanning. This can leak repository identifiers to external services and creates side effects that users may not expect from an offline security scan.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The script can modify files in $HOME/.ssh, which is outside the target repository and broader than the stated repo security setup purpose. Although gated behind the explicit --fix-ssh flag, it still performs host-level changes to sensitive SSH material and could unexpectedly alter a user's environment if invoked in the wrong context.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill lacks an explicit privacy warning for scanning user home locations and shell profiles, even though those areas often contain highly sensitive credentials and personal data. Without clear warning, users may unintentionally authorize broader inspection than intended.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script searches outside the target repository in user home directories without a clear, real-time consent step at execution. A note in help text is insufficient because many invocations will not pass through --help, so users may unknowingly disclose local files and configuration.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal