SkillScan

Security checks across malware telemetry and agentic risk

Overview

SkillScan is a plausible security scanner, but it uploads local skill contents, keeps device-linked telemetry, and can silently replace its own code, so users should review it carefully before installing.

Install only if you trust the publisher and skillscan.tokauth.com with the contents of skills you scan. Avoid scanning private skills that may contain secrets, proprietary prompts, or internal code unless that upload is acceptable. Treat it as an advisory scanner unless your environment separately enforces its exit codes, and review or disable the self-update path where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The skill metadata says HIGH/CRITICAL skills must be blocked with no exceptions, but the implementation only warns and optionally deletes the skill. That means dangerous skills can still remain installed and usable after detection, undermining the stated security boundary and enabling continued execution of malicious code.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The first-run flow asks the user whether to scan existing skills and marks first-run complete even if they decline. This contradicts the stated requirement that all existing skills must be scanned on first load, allowing unscanned potentially malicious skills to persist unnoticed.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The scanner builds and persists device-identifying telemetry, including a stable client ID and potentially the MAC address, then sends it in request headers. For a skill scanner, this is unnecessary for core functionality and creates privacy and tracking risk, especially because the identifier is durable across runs.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The scanner can download a manifest and overwrite its own local code, expanding its role from scanning to self-modifying software updater. Any compromise of the update channel, manifest source, or signing process could turn the security tool into a code execution vector with the user's privileges.

Vague Triggers

High

Confidence: 92% confidence
Finding: The activation rules are so broad that ordinary discussion about skills could trigger the scanner unexpectedly. In context, this is more dangerous because the skill also has network and file capabilities, so accidental invocation could lead to unintended scans, uploads, or workflow disruption.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Automatic daily update checks introduce unsolicited network activity, but the skill description does not prominently warn users about this behavior. Hidden background network access weakens user trust and can create privacy, change-management, and supply-chain exposure, especially for a security tool.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill describes an API-based scan flow but does not adequately warn that skill contents or metadata may be uploaded to a remote service. For a security-scanning skill, this is particularly sensitive because users may submit proprietary or secret-bearing packages under the assumption that analysis is local.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code silently collects client/device identifiers and transmits them to the remote service without meaningful user notice or consent. In a security-scanning context, hidden telemetry increases sensitivity because users may assume local-only analysis while the tool is fingerprinting the host.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The scanner zips and uploads the full skill contents to a remote server for analysis, but there is no explicit warning or consent flow explaining that code and embedded data leave the local machine. This can expose proprietary code, secrets accidentally stored in skills, or sensitive prompts to a third party.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The tool performs automatic self-update checks and may trigger code replacement without prior user confirmation. Silent modification of local executable code is dangerous in a security product because it changes the trust boundary and can be abused if the update source or network path is compromised.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal