Security audit

Urlopnik

Security checks across malware telemetry and agentic risk

Overview

This vacation-assistant skill is mostly coherent, but it can change the local Python environment during PDF generation and is unclear about handling employee data or email sending.

Review before installing. Use it only where automatic pip installs are acceptable, or preinstall reportlab in a controlled environment. Do not let it send or store real employee leave details unless you can verify the recipient, contents, retention behavior, and deletion path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if not HAS_REPORTLAB: print("⚠️ reportlab nie jest zainstalowany. Instaluję...") import subprocess subprocess.run(["pip", "install", "reportlab"], check=True) from reportlab.lib.pagesizes import A4 from reportlab.pdfgen import canvas from reportlab.lib.units import cm
Confidence: 96% confidence
Finding: subprocess.run(["pip", "install", "reportlab"], check=True)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The function is presented as a PDF generator but also performs package installation as a side effect, violating least surprise and making its behavior broader than documented. Hidden environment-changing actions are risky in agent skills because callers may permit document generation but not subprocess execution or networked package installation.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Executing a package installation subprocess is not necessary for the core task of generating a PDF during normal runtime and introduces a privileged action into an otherwise simple utility. In an agent-skill context, this makes the skill more dangerous because it can alter the runtime environment and trigger code execution paths outside the expected scope.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill description explicitly states that it sends leave requests to a supervisor and remembers employee data, but it provides no notice about external transmission, data retention, or handling of personal information. This can lead users to disclose HR-related personal data without informed consent and may result in unintended sharing or storage of sensitive employee information.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The example command to send a leave request to the user's boss normalizes an external email-sending action without any warning or confirmation step. In context, this is more dangerous because the skill deals with employment and scheduling data, so accidental or opaque transmission could expose personal or workplace information to unintended recipients.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code automatically installs a package without explicit user approval, meaning a seemingly harmless function can make networked changes and execute package-management actions on the host. This lack of confirmation is especially problematic for agent-executed skills, where users may not realize the tool can mutate the environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal