小龙虾分层任务工作流

Security checks across malware telemetry and agentic risk

Overview

This workflow skill creates project files and has optional backup, email, and progress-reporting features that are visible in the artifacts and mostly disabled by default.

Install only if you want a workflow tool that creates and stores project/task artifacts. Keep email, cloud/Git backup, and broad progress logging disabled unless you have reviewed the recipients, repository, storage path, and retained content. Avoid using it on sensitive projects without first checking what files and logs will be written or backed up.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (26)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: tmp_path = Path(tmpdir) # 克隆仓库 subprocess.run(['git', 'clone', git_repo, tmp_path], capture_output=True, check=True) # 切换到指定分支
Confidence: 93% confidence
Finding: subprocess.run(['git', 'clone', git_repo, tmp_path], capture_output=True, check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: capture_output=True, check=True) # 切换到指定分支 subprocess.run(['git', '-C', tmp_path, 'checkout', self.config['git_branch']], capture_output=True, check=True) # 复制项目文件到仓库
Confidence: 85% confidence
Finding: subprocess.run(['git', '-C', tmp_path, 'checkout', self.config['git_branch']], capture_output=True, check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: capture_output=True, check=True) # 推送 subprocess.run(['git', '-C', tmp_path, 'push', 'origin', self.config['git_branch']], capture_output=True, check=True) logger.info(f"Git备份成功: {git_repo}")
Confidence: 95% confidence
Finding: subprocess.run(['git', '-C', tmp_path, 'push', 'origin', self.config['git_branch']], capture_output=True, check=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation shows capabilities for file read/write, shell execution, and network use, but it declares no permissions or safety boundaries. This creates a hidden-trust problem: an agent or user may invoke a workflow that can modify the filesystem, execute commands, and communicate externally without explicit review or consent.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The declared purpose is task decomposition and execution, but the content also describes backup/archive behavior, Git operations, email sending, progress reporting, and state persistence. This mismatch is dangerous because it obscures materially different behaviors that can exfiltrate data, alter repositories, or persist sensitive task state beyond what a user would reasonably expect from the description.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The file implements broad backup, archival, cleanup, and Git synchronization behavior that is not aligned with the stated skill purpose of layered task decomposition/execution. This mismatch is security-relevant because undeclared capabilities increase the chance of hidden data handling, unexpected file operations, and network transmission outside user expectations.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: This section clones a repository, copies project files into it, commits them, and pushes to a remote branch, creating a full remote exfiltration path not justified by the skill description. In a workflow skill context this is especially dangerous because users may not expect their project files, logs, outputs, or state to leave the local environment.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The backup flow performs broad recursive file collection, archive creation, and cleanup/deletion operations over the provided project directory. That capability is more dangerous in this skill context because it extends beyond task decomposition into filesystem inventory and destruction of older backups, increasing confidentiality and availability risk if misused or pointed at sensitive directories.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: This file implements an outbound email reporting subsystem even though the declared skill purpose is hierarchical task decomposition/execution. That capability expands the data exposure surface by enabling task details to leave the local workflow boundary, which is security-relevant when users may not expect external communications from this skill.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The SMTP connection and delivery logic provide a direct exfiltration path for workflow data to external recipients. In the context of a task workflow skill, this is more dangerous because task summaries, progress, and activity content may include sensitive project, operational, or personal information, and the feature is not tightly scoped to the stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code writes full email bodies, including HTML and text content, to local JSON files under /tmp for debugging and backup. This creates a secondary data leakage channel because sensitive task details persist on disk in a commonly accessible temporary location, potentially readable by other local users, processes, or later sessions.

Context-Inappropriate Capability

Low

Confidence: 87% confidence
Finding: The code writes full email contents, including task descriptions, project paths, sender, and recipient metadata, to local log files. If those messages contain sensitive operational data, secrets, or internal paths, disk persistence can expose them to other local users, backups, or later compromise beyond the intended email flow.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The code intends to make current-phase leaf steps depend on previous-phase leaf steps, but instead assigns each current leaf a dependency on its own step_id. This breaks execution ordering and can cause steps to become permanently blocked, execute incorrectly, or bypass intended sequencing controls in an automation workflow that may call APIs or process project artifacts.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: render_to_file writes to any caller-supplied path and creates parent directories automatically, with no validation or sandboxing. In an agent/workflow context, if an upstream user or task can influence output_path, this can be abused for arbitrary file write within the process's permissions, potentially overwriting configuration, dropping files in sensitive directories, or planting misleading artifacts.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The auto-trigger guidance uses broad conditions like complex keywords, estimated long runtime, or vague user intent, which can cause unintended activation of a powerful workflow. In context, accidental activation is more dangerous because the skill appears capable of filesystem changes, execution, and possibly network/reporting actions, expanding the blast radius of a mistaken trigger.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill mentions automatic email reporting but does not warn about privacy, confidentiality, or data-handling implications. Because workflow reports can include task details, project structure, errors, and status information, sending them automatically risks leaking sensitive content to external recipients or misconfigured destinations.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The workflow explicitly stores task summaries, step inputs/outputs, reports, and API call logs in project files and log directories, but it does not warn that these artifacts may contain sensitive user data, secrets, or regulated content. In a task-execution workflow, this omission can lead to over-collection and persistent storage of confidential information, increasing exposure through local access, backups, or later sharing.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The recommended 'local + cloud' backup strategy duplicates workflow artifacts without addressing that backups will also copy user content, intermediate outputs, and logs that may contain sensitive material. This broadens the attack surface and can create privacy, residency, and compliance issues, especially when the workflow is designed to process arbitrary user tasks and generate many stored files.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code transmits project contents to a remote Git repository with no explicit user-facing warning at the point of execution. This is dangerous because the backed-up material may include execution state, logs, and outputs, and users of a task workflow skill are unlikely to expect silent off-host transfer.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Persisting complete email contents to local files without clear user-facing disclosure undermines privacy expectations and can expose sensitive workflow content. The risk is amplified here because the logged material includes task names, descriptions, activities, and next steps, all of which may contain confidential operational data.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Email content and recipient information are persisted to disk without any visible user-facing notice or consent mechanism. This creates a privacy and data-handling risk because users may reasonably assume email transmission is ephemeral, while the implementation silently creates a local archive of potentially sensitive content.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The tracker automatically persists task progress reports to disk under /tmp/xlx_progress_logs when background reporting is enabled by default. These reports can contain task names, activity descriptions, timing data, and custom metrics, so on multi-user systems or shared environments they may expose sensitive workflow metadata without explicit user consent or restrictive file-handling controls.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Execution results are automatically persisted to disk under the project directory, including full step output and possible error details, without any consent gate, disclosure, or controls around sensitive content. In an agent workflow, outputs may contain secrets, proprietary prompts, file contents, or API-derived data, so silent persistence increases the risk of unintended data retention and later disclosure.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The executor rewrites step JSON files in the project tree automatically, which can overwrite user-managed project metadata and alter execution state without clear authorization or backup. In workflow automation, silent mutation of project files can corrupt state, destroy evidence of prior runs, or be abused to misrepresent which steps actually succeeded or failed.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The generated markdown report is written to disk automatically and may summarize step outcomes, timestamps, and failure details that could be sensitive in some environments. While lower impact than raw output persistence, it still creates undisclosed durable artifacts that may leak operational information or confidential workflow details.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal