Back to skill

Security audit

Skill Creator Max

Security checks across malware telemetry and agentic risk

Overview

The skill looks like a real skill-building pipeline, but it needs review because it can automatically run local harness scripts chosen by generated evidence files and make broad project documentation changes.

Install only if you trust the workspace where it will build skills and are comfortable with it running generated test harnesses. Before use, restrict it to a disposable or sandboxed project directory, review any Evidence Dossier harness_path before validation, and require explicit confirmation before root README, KB, or changelog updates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
        cmd = [resolved]
    try:
        proc = subprocess.run(cmd, cwd=target_dir, capture_output=True, timeout=120)
        return True, proc.returncode, "ran"
    except Exception as e:
        return False, None, f"error running harness: {e}"
Confidence
96% confidence
Finding
proc = subprocess.run(cmd, cwd=target_dir, capture_output=True, timeout=120)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill orchestrates file reads, file writes, and shell-based validator execution, but it does not declare those permissions explicitly. This creates a trust and review gap: callers may invoke the skill believing it is metadata-only, while the actual behavior can modify files and execute subprocesses such as validation and harness scripts. In a skill that creates and evaluates other skills, those capabilities materially increase the blast radius if inputs, referenced scripts, or generated artifacts are adversarial or malformed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file directs the skill authoring workflow to always update user-visible documentation files such as README.md, README.en.md, CHANGELOG.md, and the root project README as part of every skill change. Requiring these writes without an explicit user-consent or confirmation step can cause unintended repository modifications and broadens the skill's side effects beyond the requested task.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The 'Simplified Chinese default' rule imposes an output-language policy without user opt-in. While not a classic security flaw, it can mislead users, reduce transparency of generated changes, and increase the chance that harmful or inaccurate edits are accepted without proper review.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The validator performs subprocess execution as part of normal operation without an explicit user-facing warning or opt-in at the point of action. In this context, that hidden execution materially increases risk because a user may believe they are only parsing a JSON report, while the tool may actually run attacker-supplied code from the target directory.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.