Back to skill

Security audit

grpc-test-automation

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate embedded gRPC testing skill, but it needs review because it documents unauthenticated board control, remote upload/execution, shutdown, plaintext network services, and automatic package installation.

Install only for controlled embedded-board test automation. Review generated scripts before running them, use a virtual environment or container with pinned dependencies, restrict the board-control socket and gRPC server to localhost or an isolated lab network, add authentication/TLS or firewalling, avoid the SHUTDOWN command unless explicitly needed, and clean up test reports that may contain SDK, device, or error details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
    print("Installing openpyxl...")
    import subprocess
    subprocess.check_call([sys.executable, "-m", "pip", "install", "openpyxl", "-q"])
    import openpyxl
    from openpyxl.styles import Font, Alignment, PatternFill, Border, Side
    from openpyxl.utils import get_column_letter
Confidence
96% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "openpyxl", "-q"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill describes file reads/writes and shell execution workflows but does not declare permissions, which weakens user visibility and policy enforcement around sensitive capabilities. In a skill that builds binaries, deploys artifacts, and starts services on a target board, undeclared execution and filesystem access materially increase the risk of unexpected system modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
81% confidence
Finding
A description-behavior mismatch is dangerous because users may consent to a narrowly scoped embedded-device test workflow while the skill scaffolds projects, installs packages, generates placeholder code, and runs a different localhost-based process than advertised. That gap undermines informed consent and can hide risky actions such as dependency installation, shell execution, and filesystem changes outside the expected task.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The protocol exposes a SHUTDOWN command that can power off or halt the board, which is unnecessary for ordinary gRPC test execution and expands the attack surface with a destructive remote action. In the shown design there is no authentication, authorization, confirmation step, or transport protection, so anyone able to reach the socket could trigger service interruption or device outage.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
A report-generation utility should normally transform local test data into an Excel file, but this code expands its capabilities by reaching out to install packages dynamically. In the context of an embedded/gRPC test automation skill that may run in CI, lab hosts, or privileged engineering environments, this increases supply-chain and environment-manipulation risk beyond the stated purpose of the component.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill explicitly describes mounting resources to a board, setting LD_LIBRARY_PATH, and executing a server binary, but provides no warning that it will modify and run code on the target system. For embedded devices, such actions can disrupt services, alter libraries, consume storage, or leave a persistent test service exposed on the board.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The skill states that JMeter will collect response data and generate result files and an Excel report, but does not warn that potentially sensitive test inputs, outputs, device identifiers, or error details may be stored on disk. In testing environments, these artifacts can expose proprietary SDK behavior, board metadata, or operational data if retained insecurely.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Documenting destructive shutdown behavior without any warning normalizes a dangerous capability and increases the chance it will be used unsafely in automation or testing environments. In this skill context, the protocol is intended to operate against embedded boards, so an undocumented remote shutdown can disrupt testing infrastructure and potentially affect real hardware availability.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The protocol documents remote file copy/upload and process start operations without warning that they can modify the target filesystem and execute binaries on the board. In a test automation skill for embedded devices, these are highly sensitive actions because they amount to remote deployment and code execution, especially concerning given the lack of any authentication or integrity checks in the examples.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The initializer silently runs pip3 install during setup, causing network access and modifying the host Python environment without explicit user consent. In a security-sensitive or build environment, this can introduce supply-chain risk, unexpected dependency changes, and non-reproducible state; the skill context makes this somewhat more concerning because test automation often runs on engineering machines or CI systems with broad access.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.