Auto Skill Hunter

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent purpose, but it can automatically read prior user context, install and run new skills, and send reports outside the workspace without strong approval or containment boundaries.

Install only after deciding you are comfortable with an agent changing its own skill stack. Use --dry-run first, set SKILL_HUNTER_NO_REPORT=1 unless reporting is explicitly approved, avoid cron scheduling in shared or sensitive environments, and manually review any recommended skill source before allowing clone, install, or self-test execution.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (20)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises and documents behavior that uses network access and environment-controlled behavior, yet no explicit permission declaration is present. That creates a trust and review gap: operators may invoke it without understanding that it can reach external services, inspect env flags, and perform actions influenced by environment state.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The documented purpose understates the operational scope: the skill mines local chat/session and profile data, writes into the local skills workspace, executes external commands, and can send external reports. This mismatch is dangerous because users may authorize a discovery helper without realizing it performs sensitive local data access, code installation, command execution, and outbound communication.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code explicitly targets broad local context sources such as USER.md, task memory, personality state, and recent session logs to drive autonomous skill discovery. This creates unnecessary access to sensitive user and agent context, and that context is later used in outbound requests and reporting, increasing privacy and prompt-data exposure risk.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The skill not only discovers and installs remote skills, it also executes installed code via `node ... --self-test` and sends reports through an external wrapper. Running newly cloned code from untrusted repositories is a direct remote code execution path, and coupling that with external reporting expands blast radius if the installed code or report pipeline is malicious.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README explicitly promotes mining recent conversations, session JSONL files, and task memory to discover unresolved problems, but it does not mention consent, data minimization, or privacy boundaries. In a skill that also performs automated discovery and optional reporting, this creates a real risk of collecting and reusing sensitive user content beyond the original purpose.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The activation guidance is broad enough to trigger in many normal situations such as generic capability gaps or requests for better tools. In context, that matters because triggering this skill can lead to autonomous network search, local data mining, code installation, and execution, so overbroad invocation increases the chance of unnecessary risky actions.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The scheduled patrol recommendation encourages recurring autonomous execution every 30–120 minutes without clearly defining approval boundaries, review checkpoints, or safe environments. Because the skill can discover, install, and test new skills on a timer, ambiguous scheduling materially increases the risk of unattended supply-chain changes and repeated privacy-impacting data access.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The scheduling section does not clearly warn that the skill may automatically install new skills on a recurring basis. This is dangerous because operators may treat it as a passive discovery tool while it actually introduces and executes new code over time, creating persistent supply-chain and change-management risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The workflow states that it mines recent chat/session memory and user profile/personality data, but there is no explicit privacy warning, retention statement, or consent model. This is risky because it normalizes analysis of potentially sensitive user data to drive recommendations and possibly outbound reporting, without clear boundaries or minimization.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The manifest description explicitly frames the skill as acting autonomously to discover, rank, and install other skills based on broad signals like unresolved problems and capability gaps. That kind of ambiguous, self-expanding activation language is dangerous because it can normalize unsolicited installation behavior and widen the circumstances under which the agent takes high-impact actions without clear user consent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The installer clones arbitrary remote repositories into the local skills directory and writes scaffold files automatically, with no approval gate in this file. This is a supply-chain risk that can introduce malicious code or persistence into the agent environment without informed consent.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The code harvests recent session files, task memory, personality state, and user profile to construct search context, then later includes derived problem summaries in a report that is sent externally. Even if transformed, this is still cross-boundary disclosure of prior user data without clear disclosure or consent, making it a serious privacy leak.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill performs external HTTP searches using queries derived from user messages, memory, and profile context. Although it sends keywords rather than full transcripts, these queries can still reveal sensitive interests, incidents, tools, or internal project details to third-party services.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The skill is described as continuously reading unresolved problems from recent conversations and combining them with agent context, and the README also references external report sending that can be disabled via an environment flag. That combination makes data exfiltration a plausible outcome: sensitive user/task details could be summarized and transmitted externally without clear default-off behavior, consent, or redaction controls.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The 'Auto Problem Mining' section instructs the system to read recent user messages from session files and extract unresolved statements from task memory. That is a direct encouragement to collect and repurpose potentially sensitive user inputs, and without boundaries it can expose private data in downstream search, scoring, installation decisions, or reports.

Ssd 3

Medium

Confidence: 84% confidence
Finding: The README says recommendation reports explain why a skill was selected; because selections are based on mined user problems and task memory, those explanations may reveal sensitive user/task-derived details. Even if the report is concise, rationale text can leak private context to logs, operators, or external systems.

Ssd 3

High

Confidence: 99% confidence
Finding: Recent user messages are harvested from session logs and distilled into search terms and workflow context. Mining prior conversations without explicit permission is dangerous because it can surface confidential requests, credentials-adjacent details, or sensitive operational context into later automated actions.

Ssd 3

High

Confidence: 98% confidence
Finding: The generated patrol report embeds recent problem summaries and other context derived from task memory and prior user interactions in human-readable form. Human-readable summarization does not eliminate sensitivity; it often makes exfiltrated data easier to consume and more likely to reveal private user intent or internal issues.

Ssd 3

Critical

Confidence: 100% confidence
Finding: The patrol report, which includes prior user/task context, is automatically passed to an external reporting script. This creates a direct exfiltration path for historical user data and operational context, and the destination/behavior of the wrapper is not constrained here, making the confidentiality risk severe.

Self-Modification

High

Category: Rogue Agent
Content: ## Safety and Quality Guardrails - Never overwrite existing skill folders. - Prefer small, frequent patrols over large one-shot installs. - Keep report output concise and action-oriented. - Disable outbound reporting during local tests with `SKILL_HUNTER_NO_REPORT=1`.
Confidence: 97% confidence
Finding: overwrite existing skill

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal