litellm attack detector

Security checks across malware telemetry and agentic risk

Overview

This LiteLLM compromise detector is mostly read-only and purpose-aligned, but it automatically makes outbound DNS queries despite claiming it sends no data.

Install only if you are comfortable with the detector making outbound DNS queries for known malicious domains when run. Users in sensitive incident-response or containment environments should remove or disable the DNS-resolution block first, or run it only where outbound DNS activity is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The script performs active DNS lookups with `host` against attacker-related domains even though it is described as a read-only, safe local scanner. This creates outbound network activity, can leak that the detector was run, and may violate expectations or policy in restricted environments.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: A detector advertised as read-only should not initiate external resolution requests during normal execution. Those lookups generate network side effects, may alert external infrastructure, and undermine trust in the tool's safety claims.

VirusTotal

15/64 vendors flagged this skill as malicious, and 49/64 flagged it as clean.

View on VirusTotal