Security audit

narrative-topology

Security checks across malware telemetry and agentic risk

Overview

This is a local Python helper for extracting marked relationship triples into an adjacency matrix, with the main caution that it recursively reads matching files under the directory where it is run.

Install only if you are comfortable running a local scanner. Run it from a dedicated folder containing the documents you want analyzed, not from a home directory or broad repository root, because it recursively reads matching files and prints any extracted graph structure.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill embeds Python code that recursively reads files from the current working directory, but the skill metadata does not declare permissions or warn users about that file access. In an agent environment, undeclared file-reading behavior can expose unrelated local documents, source files, or sensitive workspace contents beyond what the user intended to analyze.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill claims to extract semantic relationships from narratives, but the implementation actually walks the filesystem, parses only specially marked inline syntax, and ignores predicates entirely. This mismatch is security-relevant because users may trust the description and run it on a workspace without realizing it will recursively inspect many local files, increasing the chance of unintended data exposure and misuse.

Description-Behavior Mismatch

Low

Confidence: 84% confidence
Finding: The scanner recursively walks the entire current working directory and reads matching files, which is broader than the skill description suggests. In an agent environment, this can unintentionally ingest unrelated repository content, including sensitive local documents, and expose their derived structure in output without clear user intent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The markdown instructs users to run a scanner that recursively reads files in the current directory, but it does not prominently warn that this can sweep in many documents and source files. In practice, that broad default can cause unintended collection and processing of sensitive local content, especially when used in shared repos or home directories.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.