Update Approval Guard

Security checks across malware telemetry and agentic risk

Overview

The main update-approval instructions are conservative, but the published package also contains unrelated automation, credentials, and external social/news/Feishu workflows that do not fit that purpose.

Do not install this package as-is unless you have reviewed and removed the unrelated workspace contents and rotated any exposed credentials. A safe version should contain only the update-approval SKILL.md, minimal examples, and clearly scoped state files; it should not include social automation, news/reporting pipelines, memory logs, external dashboard status updates, or embedded tokens.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (416)

Tainted flow: 'payload' from os.getenv (line 45, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: "search_depth": "basic" } response = requests.post(url, json=payload, timeout=10) response.raise_for_status() data = response.json() return data.get('results', [])
Confidence: 98% confidence
Finding: response = requests.post(url, json=payload, timeout=10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill clearly instructs the agent to read and write files, invoke shell commands, and perform network-backed update checks, yet it declares no permissions. That mismatch is a real security issue because it prevents proper capability review and weakens any sandbox or approval model that relies on declared permissions. In this context the skill is intended to mutate software after approval, so undeclared powerful capabilities are especially risky even if the stated workflow is conservative.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This AGENTS.md grants the agent broad standing authority far beyond a narrow update-approval workflow, including reading personal memory files, checking external services, participating in chats, and committing/pushing changes. In the context of an update-approval guard, this scope expansion materially increases the attack surface and can enable unintended data access, external communications, or unauthorized repository mutations unrelated to the user’s update request.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The document presents conflicting guidance: one section says to ask before anything leaves the machine, while another pre-authorizes web searches and calendar checks. Ambiguous safety boundaries are dangerous because an agent may interpret the more permissive rule as authorization for networked actions without contemporaneous consent, undermining the update-approval model.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The SOUL file instructs the agent to automatically send status updates to an external dashboard at task start, completion, and error, which is an external side effect unrelated to the skill's stated approval-guard purpose. In this context, that behavior bypasses the expected explicit-consent model and can leak task activity, progress, and potentially sensitive operational metadata without user approval.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: This file grants the agent an unjustified capability to publish task and presence information to an external service, including task-state labels and descriptive details. Because the skill is supposed to inspect updates and wait for approval before mutation, adding unrelated outbound telemetry expands the trust boundary and creates a real privacy and policy risk.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The document says to ask before acting externally, but elsewhere requires automatic external updates, creating conflicting instructions that can cause the agent to perform outbound actions without confirmation. That contradiction is dangerous because approval-guard skills rely on clear boundaries, and ambiguous policy often results in the more permissive behavior being followed.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file defines a complete industry-news collection, ranking, deduplication, scheduling, and delivery pipeline that is unrelated to the declared purpose of an update-approval guard. This kind of hidden scope expansion is dangerous because it introduces undisclosed data collection and outbound communication capabilities into a skill that users would reasonably trust only to inspect updates and await approval.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The configuration enables external search providers, content processing, expansion logic, Feishu Bitable access, and direct user messaging, none of which are justified by the stated update-approval function. In this context, these capabilities materially increase the risk of covert exfiltration, unsolicited outbound messaging, or execution of unrelated workflows under the cover of a trusted maintenance skill.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The skill is described as a dry-run update approval guard, but its configuration enables unrelated external content-retrieval and web-search MCP servers. This expands the skill's effective capabilities beyond its stated purpose and creates unnecessary data egress and prompt-surface risk, especially because remote services can influence agent behavior or receive sensitive context.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file documents a completely different capability than the declared skill purpose: an automated news collection, storage, and push pipeline with cron scheduling and Feishu integration. In a security-sensitive skill package, this mismatch is dangerous because it can conceal undeclared behavior, mislead reviewers and users about what the skill actually does, and normalize unrelated networked automation under an approval-guarded update-check label.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The README states the system automatically collects, processes, stores, and pushes daily news, which conflicts with the skill's claimed behavior of dry-run inspection pending explicit approval. This contradiction increases the chance that operators approve or install a skill under false assumptions, enabling unattended mutation-like activity, external communications, and data handling outside the expected trust boundary.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: This section introduces external search providers, Feishu write access, and message-push permissions that are not justified by an approval-guarded update-check skill. Unrelated outbound integrations and persistence targets materially expand the attack surface, create opportunities for covert exfiltration or unauthorized automation, and make the skill context far more dangerous because the declared purpose gives users no reason to expect these capabilities.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This file documents and appears to operationalize an unrelated InStreet social-automation integration inside a skill whose declared purpose is guarded update approval. That mismatch is dangerous because it can hide covert functionality, including automated posting, commenting, liking, and heartbeat activity, under a benign skill identity, defeating user trust and review expectations.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Automated social-network interactions such as replying, browsing, liking, and posting are unjustified within an update-approval guard and create an unnecessary outbound-action surface. In this context, the documented automation could be used for spam, impersonation, reputation manipulation, or covert command-and-control-like signaling, especially because it is described as recurring autonomous behavior.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The documentation directly contradicts the declared skill identity by presenting a completed third-party community integration, account details, and operational setup for a different purpose. This inconsistency is a strong indicator of deceptive packaging or supply-chain abuse, where reviewers may approve the skill based on metadata while hidden functionality serves another objective.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The memory log is clearly misaligned with the declared skill purpose and documents a different news-reporting capability, including scheduling, publishing, translation, and external storage details. This creates a dangerous context-mix where an update-approval guard may inherit or surface unrelated operational behaviors, increasing the chance of unauthorized actions, confused-deputy behavior, or accidental invocation of capabilities the user did not intend.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The file embeds capability context for publishing, Feishu storage, translation tooling, and scheduled report generation that is unrelated to an approval-guard skill. Even if not executable by itself, such embedded context can steer an agent toward inappropriate tool use or broaden the apparent authority of the skill during later interactions.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The log shows update execution and completion even though the skill metadata promises an approval-gated, non-mutating dry-run flow unless the user explicitly confirms. This mismatch is security-relevant because it indicates the guardrail may be ineffective or bypassed, allowing software or skill mutations without a fresh approval event tied to the execution.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: Labeling a task as 'Daily Update Approval' while nearby entries indicate real updates were executed can mislead reviewers and users about whether changes were merely proposed or actually applied. That ambiguity weakens oversight and can hide unauthorized or unintended mutations behind approval-themed wording.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: This file implements a daily weather and AI-news report generator, which is unrelated to the declared purpose of an update-approval guard. Capability drift like this is dangerous because it introduces hidden behavior, network access, and data processing that users and reviewers would not expect from the skill metadata.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill performs external weather and news aggregation despite claiming to only inspect updates and require approval before mutation. In this context, unjustified network capabilities are more dangerous because they expand the attack surface, enable exfiltration or tracking, and bypass user expectations about what the skill should contact.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The module docstring explicitly describes a daily AI news and weather report generator, directly contradicting the declared update-approval function. Such mismatches are a strong indicator of repurposed or hidden functionality and make review, consent, and security boundary enforcement unreliable.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file implements a full news collection, scraping, summarization, storage, and push-notification workflow that is unrelated to the declared skill purpose of guarded update approval. This kind of capability mismatch is dangerous because it can conceal unauthorized data collection and outbound communication under the cover of an innocuous manifest description.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code performs broad external search requests and then fetches arbitrary article URLs returned by those searches, even though the skill is supposed to check updates without mutation. In this context, arbitrary outbound requests greatly expand the attack surface, enable covert data exfiltration channels, and create SSRF-like risk if attacker-influenced URLs are processed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal