Security audit

Skill Conductor

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed pipeline orchestrator for building other skills; its local file writes, test execution, and sibling-skill calls are expected for that purpose.

Install this only alongside trusted versions of the required sibling skills, including vince-attacker and skill-zipper. Expect it to modify the target skill, run local tests or harnesses, create pipeline logs, and possibly overwrite stage artifacts during re-audit; use a version-controlled or disposable working copy when running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The orchestrator introduces an undeclared external dependency by invoking `vince-attacker` during final acceptance, even though the documented pipeline is framed around sibling stage skills. This expands the trust boundary and can execute additional instructions or side effects from a skill that is not clearly version-pinned, validated, or governed by the same stage contracts, creating supply-chain and execution-risk concerns.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The rule first asserts that the conductor 'runs no scripts of its own' but later instructs it to execute `python3 ../skill-zipper/scripts/diff_lossless.py` directly as a fallback. That inconsistency weakens execution-boundary guarantees and can cause the orchestrator to run repository-supplied code unexpectedly, increasing the attack surface if the referenced script or surrounding path is tampered with.

Missing User Warnings

Low

Confidence: 85% confidence
Finding: The file explicitly states that re-running guidance overwrites the existing `handoff-spec.json`, and only later suggests copying it aside if a loop back to Stage E may be needed. That creates a real integrity and workflow risk: an operator following the documented sequence can destroy the original planning artifact before preserving it, making recovery, comparison, or correct loopback behavior harder.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The fallback procedure directs the agent to copy the target skill into `/tmp/<name>-before/` and execute an external Python script without any warning, trust boundary discussion, or sandbox requirement. In an agent skill that orchestrates end-to-end pipeline stages, such instructions can lead to unintended filesystem writes and execution of untrusted code during normal operation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal