Back to skill

Security audit

Strands Agents SDK

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Strands agent-building skill, but its default generated agents can read and write local files and run shell commands without strong safeguards.

Install only if you are comfortable treating generated agents as privileged local programs. Review generated code before running it, remove or constrain shell and file-write tools, use a sandbox or dedicated project directory, use least-privilege API and cloud credentials, and load only trusted agent files or MCP servers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documents and encourages use of file read/write, shell, and MCP capabilities, but the metadata declares no permissions. This creates a transparency and consent gap: users or policy engines may treat the skill as low-privilege while it scaffolds agents that can access the filesystem, execute commands, and connect to external tool servers.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill description presents broad agent-building functionality, while the documented/generated patterns include powerful unrestricted tools such as file read/write and shell access that are not clearly disclosed as high-risk capabilities. This mismatch can cause users to invoke the skill expecting simple scaffolding, but receive or enable agents with materially more dangerous execution powers.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The scaffold generator embeds a `run_command` tool into every generated agent, giving the LLM arbitrary shell execution capability that is not necessary for basic agent scaffolding. In the context of an autonomous AI agent, this materially increases the chance of prompt-injection-driven command execution, local data access, package installation, or destructive system actions by default.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The example introduces a write_file tool that can overwrite arbitrary paths without any warning, restriction, or safety guidance. In an agent context, normalizing unrestricted write access increases the chance of accidental file destruction, persistence of malicious content, or modification of sensitive configuration files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Listing shell and HTTP-capable tools without user-facing warnings understates the risk of command execution and outbound data transmission. In agent systems, these tools can be chained by model decisions to run destructive commands, exfiltrate data, or interact with untrusted remote services.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The generated agent advertises itself as a general helpful agent while silently including powerful file read/write and shell execution tools. Users may run the scaffold without realizing the model can modify files and execute commands, which makes prompt injection or misuse substantially more dangerous in this skill context.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The scaffolder creates directories and writes project files using fixed names without warning that existing files may be replaced or modified. While this is not a remote-code-execution issue, it can cause accidental data loss or unintentional overwriting in an existing workspace.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script dynamically imports and executes an arbitrary Python file supplied on the command line via exec_module(), which runs top-level code immediately during loading. In the context of an agent runner, this means opening an untrusted agent file results in full arbitrary code execution with the user's privileges, and the script provides no warning, trust boundary, or restriction to reduce that risk.

Unvalidated Output Injection

High
Category
Output Handling
Content
command: Shell command to execute.
    """
    import subprocess
    result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=60)
    output = result.stdout
    if result.stderr:
        output += f"\\nSTDERR: {{result.stderr}}"
Confidence
99% confidence
Finding
subprocess.run(command, shell=True, capture_output

Tool Parameter Abuse

High
Category
Tool Misuse
Content
command: Shell command to execute.
    """
    import subprocess
    result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=60)
    output = result.stdout
    if result.stderr:
        output += f"\\nSTDERR: {{result.stderr}}"
Confidence
98% confidence
Finding
subprocess.run(command, shell=True

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.