Fabric CLI skill - Self-Organizing Personal Cloud

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Fabric.so CLI helper that can read, write, and persist data in a Fabric workspace, with meaningful consent and secret-handling guidance.

Install only if you intend to let an agent use your Fabric.so CLI. Review any write, upload, workspace switch, auth, installer, or memory action before it runs, and do not let it store secrets, credential files, private keys, browser profiles, or sensitive personal data in Fabric.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: add(results, os.access(script, os.X_OK), f"script executable bit set: {script.relative_to(root)}") if run_script_help: try: proc = subprocess.run([sys.executable, str(script), "--help"], capture_output=True, text=True, timeout=8, check=False) add(results, proc.returncode == 0 and "usage" in proc.stdout.lower(), f"script --help works: {script.relative_to(root)}") except Exception as exc: add(results, False, f"script --help works: {script.relative_to(root)}", str(exc))
Confidence: 92% confidence
Finding: proc = subprocess.run([sys.executable, str(script), "--help"], capture_output=True, text=True, timeout=8, check=False)

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The template permits a broad set of actions, including write and destructive-capable operations, but provides no activation constraints, parameter schema, or contextual guardrails to limit when each action should be used. In an agent setting, this ambiguity can let untrusted prompts steer the skill into selecting higher-risk operations without clear policy checks, especially since `requires_confirmation` is set to false by default.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The workflow explicitly guides saving notes, URLs, files, and other content into Fabric persistent storage, but it does not instruct the agent to warn users or obtain confirmation before persisting potentially sensitive material. In an agent setting, users may not realize that ad hoc text, local files, or URLs could contain secrets, personal data, or proprietary information, so the omission creates a real privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The agent-memory workflow encourages generating a structured session handoff note and uploading it to Fabric as persistent memory, but it lacks a clear warning that this may retain sensitive project details, personal data, or confidential operational context beyond the current session. Because memory notes are framed as a normal end-of-task step, an agent could routinely persist information the user did not intend to store long-term.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The validator includes an option to run each local script with `--help`, but the CLI does not clearly warn that this executes arbitrary code from the repository. A user may invoke this helper assuming it only performs static package checks, creating a trust-boundary violation where malicious skill code can run during validation. The fabric-cli skill context makes this somewhat more dangerous because it is specifically packaged as tooling around local CLI workflows, where users may be more inclined to run helper scripts on cloned content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal