Security audit

CNC Quote Workflow

Security checks across malware telemetry and agentic risk

Overview

The skill matches its CNC quoting purpose, but it needs review because it can expose sensitive quote data through logs/history and declares underspecified notification and optional local-code integrations.

Review before using with real customer or proprietary part data. Disable or tightly scope email/calendar notifications, avoid enabling UniSkill unless the local code path is trusted, and treat logs/results as sensitive because raw quote requests may be recorded.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The code prepends an external workspace path to Python's import search path, allowing code outside the skill's reviewed package boundary to be imported implicitly. In an agent environment, that creates a supply-chain and code-injection risk: if that directory is writable or replaced, the agent may execute unreviewed code during initialization, even though the feature is described as an optional validation layer.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The implementation contradicts the documented security posture: when config.json is missing, the code proceeds to enable the optional UniSkill path-loading behavior instead of keeping it disabled by default. This insecure-default behavior increases the chance that the risky external import path is activated unintentionally in production or fresh deployments.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The workflow is designed to process manufacturing quote inputs and historical case data, which may contain commercially sensitive specifications, pricing, or customer information, yet the description provides no privacy, handling, or retention warning. This can lead users to submit sensitive data without understanding exposure risks, especially in workflows involving RAG and multi-agent processing.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The workflow description is broad and the file does not define clear activation boundaries, allowed input scope, or when the workflow should or should not run. In a multi-agent quoting system with retrieval, competitor analysis, notifications, and automated reminders, vague triggering increases the risk of over-collection of data, unintended execution, or use in contexts the author did not intend.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The workflow logs the full user_input and also stores it verbatim in the returned result structure and execution history. In a quoting workflow, user submissions may include proprietary part details, customer data, deadlines, or other sensitive business information, which could be exposed through logs, reports, debugging output, or in-memory history retained longer than necessary.

Unpinned Dependencies

Low

Category: Supply Chain
Content: pyyaml>=6.0 # 可选依赖（用于扩展功能） # ollama>=0.1.0 # 向量嵌入服务
Confidence: 93% confidence
Finding: pyyaml>=6.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal