Strands

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate agent-building helper, but its default scaffold gives generated agents broad file and shell access without strong user-facing guardrails.

Install and use this only in an isolated Python environment or disposable workspace. Before running generated agents, review or remove the default read_file, write_file, and run_command tools, especially around secrets, cloud credentials, production repositories, and important local files. Connect only trusted MCP servers and use least-privilege provider credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documents and encourages use of capabilities that can read files, write files, execute shell commands, and connect to MCP servers, but the metadata declares no permissions or safety boundaries. That mismatch can cause downstream systems or users to underestimate the skill's power and approve execution in contexts where these actions are sensitive.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The scaffolded agent template grants the LLM an unrestricted shell-execution tool by default, even though the script's purpose is only to scaffold an agent project. In practice, any user prompt or prompt-injection reaching the generated agent can cause arbitrary command execution on the host, turning every scaffolded project into a code-execution agent without explicit operator opt-in.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The custom tool example includes arbitrary file writing but does not warn that running such a tool can modify local files or overwrite data. In a skill meant to scaffold autonomous agents, omissions like this increase the chance that users expose unsafe write primitives without considering path restrictions or confirmation requirements.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The built-in tools list prominently includes shell, file_write, and http_request without a corresponding warning that they can execute commands, alter the system, and send data off-host. Because this skill is specifically about building autonomous agents, presenting these as routine tools without guardrails materially increases the risk of unsafe agent configurations.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The generated agent includes both file-write and shell-execution capabilities, but the scaffolded README and CLI usage do not warn users that the created agent can modify files and run arbitrary commands. This increases the chance that developers or end users run the generated agent with misplaced trust, underestimating its ability to make impactful system changes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script dynamically imports and executes any Python file supplied on the command line via exec_module(), which runs top-level code immediately with the privileges of the current user. In a skill explicitly designed to run agent code, this behavior is intentional, but it is still dangerous because pointing it at an untrusted or trojanized agent file results in arbitrary code execution, local file access, network calls, or credential theft.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal