Back to skill

Security audit

Strands

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Strands agent helper, but its default generated agent can read and write files and run shell commands without strong guardrails.

Use this only in an isolated Python environment or disposable workspace. Before running generated agents, review or remove the default file and shell tools, avoid pointing them at secrets or production repositories, use least-privilege cloud/API credentials, and connect only trusted MCP or A2A services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documents and encourages use of file read/write, shell execution, and MCP connectivity, but its metadata declares no corresponding permissions or safety boundaries. This creates a capability/permission mismatch that can cause downstream systems or users to invoke powerful local and remote actions without explicit review, increasing the chance of unsafe execution.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The scaffolded agent grants an LLM unrestricted shell execution via a default tool, which is far broader than simple agent scaffolding and creates a ready-made arbitrary command execution surface. In the context of an autonomous agent framework, this is especially dangerous because prompt injection, model error, or unsafe user prompts can directly trigger system commands on the host.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The generated agent exposes broad file read and write capabilities over arbitrary paths with no sandboxing, path restrictions, or confirmation gates. For an AI agent, this enables data exfiltration, credential theft, destructive overwrites, and persistence if the model is induced to act on malicious instructions or prompt injections.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation presents shell and file-writing tools as normal built-ins without warning that they can modify the host system, execute arbitrary commands, or expose sensitive data. In an agent skill context, examples strongly influence usage, so omission of cautions can lead users to wire unsafe tools into autonomous agents with little oversight.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The MCP and SSE examples normalize cross-process and network connections to external tool providers without warning about trust boundaries, data exfiltration, or remote code/tool abuse. Because agents may forward prompts, files, secrets, or environment-derived context to connected services, this can expand the attack surface significantly if untrusted servers are used.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The scaffold creates an agent with file-writing and shell-execution powers but the generated README presents it as a normal runnable agent without any prominent security warning or safe-usage guidance. This increases the likelihood that users run a highly privileged agent without understanding the risks, making exploitation via unsafe prompts or prompt injection more likely.

Unvalidated Output Injection

High
Category
Output Handling
Content
command: Shell command to execute.
    """
    import subprocess
    result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=60)
    output = result.stdout
    if result.stderr:
        output += f"\\nSTDERR: {{result.stderr}}"
Confidence
98% confidence
Finding
subprocess.run(command, shell=True, capture_output

Tool Parameter Abuse

High
Category
Tool Misuse
Content
command: Shell command to execute.
    """
    import subprocess
    result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=60)
    output = result.stdout
    if result.stderr:
        output += f"\\nSTDERR: {{result.stderr}}"
Confidence
98% confidence
Finding
subprocess.run(command, shell=True

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.