ztp

Security checks across malware telemetry and agentic risk

Overview

This is mostly a security scanner, but its bundled Python tool can execute the file being audited despite promising not to run target code.

Review before installing. Use this only in a disposable or tightly sandboxed environment unless the dynamic scan path is removed or made explicit opt-in, because scanning a single Python file can run that file's top-level code. Also verify the actual installed path before following the documented command and decide explicitly which external tools may run.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: report_content = f"""# 🛡️ Shield Pro Security Report v{__version__} **Date:** {os.popen('date -u +"%Y-%m-%dT%H:%M:%SZ"').read().strip()} **Scan Status:** {status_icon} **{status_text}** ## 1. Executive Summary
Confidence: 96% confidence
Finding: **Date:** {os.popen('date -u +"%Y-%m-%dT%H:%M:%SZ"').read().strip()}

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill advertises broad operational behavior including shell execution, file access, environment access, network-capable tooling, and report generation, but declares no permissions. In a security-audit skill, undeclared capabilities are especially risky because users may trust it as a defensive control while it can perform powerful actions that expand attack surface and bypass least-privilege expectations.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented purpose is a passive audit skill, but the described behavior goes beyond simple validation into dynamic import-time trapping, shell-based report generation, filesystem writes, and broad scanning actions. This mismatch is dangerous because it can cause operators to approve or invoke the skill under false assumptions, enabling execution paths and side effects inconsistent with a supposedly non-executing zero-trust auditor.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The skill states a 'No Execution' principle yet instructs the agent it 'MUST run' multiple external tools. That contradiction can pressure an automated agent to execute environment-dependent binaries, creating unnecessary command-execution risk, data exposure, and inconsistent behavior while undermining the core zero-trust claim of the skill.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The skill presents itself as a security validation/audit tool, but this code also writes reports to disk and performs dynamic import-time execution of scanned Python files. That creates a capability mismatch: a supposedly passive validator becomes an active executor, which is dangerous in zero-trust contexts because scanning untrusted artifacts can trigger attacker code.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Using shell command execution to fetch the date is unnecessary for the stated purpose and introduces process-spawning behavior into a security auditor. In a validation-oriented skill, unjustified shell access is especially risky because it undermines trust boundaries and may be blocked or repurposed in hostile environments.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: scan_dynamic loads and executes the target Python file with importlib, meaning analysis of an untrusted file can run attacker-controlled import-time code. The SafeImportHarness is incomplete protection because it only mocks a small set of modules and silently ignores many exceptions, so malicious code can still execute side effects through other paths or evade detection.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The tool performs shell-like execution without warning or confirmation, which is inappropriate for a skill marketed as a validator. Even with a fixed command, hidden process execution erodes operator trust and can become a foothold for broader misuse if similar patterns are adopted elsewhere in the codebase.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal