Back to skill

Security audit

Guardian

Security checks across malware telemetry and agentic risk

Overview

Guardian is a safety-focused skill, but its own rules are inconsistent in ways that could let destructive actions proceed without the human approval users would expect.

Treat this as a Review item, not malware. Install only if you are comfortable auditing and overriding its policy: require explicit human approval for all high-risk or critical destructive actions, do not rely on JIT downgrades, and do not treat the bundled backup scripts as proof that a real restorable backup exists.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as a mandatory destructive-action gatekeeper, but the document only specifies policy and backup-check concepts rather than any enforceable interception mechanism. In a safety-critical context, this mismatch is dangerous because operators may rely on Guardian to block destructive actions when, in practice, it may only provide advisory checks or environment inspection, creating a false sense of protection.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The decision tree explicitly allows some MEDIUM-risk destructive actions to proceed without backup verification when the target is not in a protected path. That contradicts the skill's stated purpose as a mandatory safety gatekeeper that enforces backup verification before destructive execution, creating a policy gap an agent could exploit to perform irreversible changes without recoverability.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The escalation table permits agent self-approval for MEDIUM-risk operations when no backup exists, which undermines the core guarantee that destructive actions without backup are halted or escalated. In a gatekeeper skill, this is dangerous because an autonomous agent can classify risky actions as MEDIUM and bypass human review before making irreversible changes.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The JIT override text conflicts with the stated rule that high-risk destructive operations always require human approval. Ambiguity in safety policy is itself exploitable because an agent or integrator can choose the more permissive interpretation and proceed with dangerous actions under a JIT window.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
This contradiction creates a policy path where a high-risk destructive operation may be treated as proceedable if backup is verified during a JIT window. In a guardrail skill, that effectively weakens the approval boundary and could normalize autonomous execution of actions that were supposed to be blocked pending human review.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The later statement that JIT downgrades high risk to Fast-Track directly undermines earlier mandatory escalation requirements. Because this is a safety gatekeeper for irreversible actions, such a semantic conflict can be used to justify proceeding with destructive operations without the human approval the skill claims to require.

Ssd 4

High
Confidence
94% confidence
Finding
The skill starts from a strong safety posture but then introduces a JIT exception that weakens that posture for the most dangerous class of operations. This is dangerous because users and agents may internalize the broad 'mandatory safety gatekeeper' framing while operational behavior drifts toward accepting high-risk destructive actions under exception windows.

Ssd 4

High
Confidence
95% confidence
Finding
Reclassifying high-risk actions into a fast-track path in a later section materially weakens the mandatory halt-and-escalate control. In a destructive-operations gatekeeper, that kind of later permissive clause is especially dangerous because implementers may copy the simpler proceed-if-backed-up rule and omit the stricter approval requirement.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.