Back to skill

Security audit

agent-everything.exe

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Windows Everything search helper, but it can install tooling and make persistent PATH changes without a clearly separate approval step.

Install only if you are comfortable letting an agent search your Windows Everything index and perform setup actions. Before first use, decide whether you want it to download es.exe, start Everything, install ev shims, and modify your user PATH. Prefer scoped searches with --path and avoid raw or --allow-empty unless you specifically need broad enumeration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env["EVERYTHING_CLI_SKILL_ROOT"] = str(SKILL_ROOT)
    env["EVERYTHING_CLI_REPO_ROOT"] = str(REPO_ROOT)
    env["EVERYTHING_CLI_CACHE_ROOT"] = str(CACHE_ROOT)
    return subprocess.run(
        [
            powershell,
            "-NoLogo",
Confidence
91% confidence
Finding
return subprocess.run( [ powershell, "-NoLogo", "-NoProfile", "-ExecutionPolicy", "Bypass", "-File", str

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes shell, file read/write, and environment-modification capabilities but does not declare permissions, which undermines informed consent and sandboxing decisions by the agent platform. In this context, the skill can bootstrap executables, write shims, and alter user environment state, so hidden capabilities materially increase the chance of unintended system changes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a search utility, but its documented behavior includes persistent installation actions such as creating command shims, modifying PATH through the registry, broadcasting environment changes, and writing into user-local bin/cache directories. That mismatch is dangerous because an agent or user may invoke it expecting read-oriented search behavior while it silently performs system persistence and configuration changes.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is presented as a local indexed search wrapper, but it can download `es.exe` from the internet, extract it, cache it, and execute it. That expands the trust boundary from local search to remote software acquisition and execution, creating supply-chain and unexpected code-execution risk in contexts where users or agents may assume the skill is offline/local-only.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
An optional shim installation capability exceeds the stated purpose of performing indexed file search. Installing command shims modifies the execution environment and can create persistence or PATH-hijack style risks, especially when triggered by an automation agent rather than an interactive admin-controlled installer.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This search-oriented skill also installs command shims and persistently modifies the user's PATH in the registry, which exceeds the least-privilege expectation implied by its description. Persistence-changing behavior is dangerous because it alters future command resolution and can create lasting system state beyond the immediate search task.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code writes to HKCU\Environment\Path and broadcasts the environment change, giving the skill a persistent influence over the user's execution environment. In the context of a local search skill, this capability is not necessary for core functionality and increases the risk of command hijacking, unexpected tool precedence changes, or difficult-to-trace persistence.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Shim files are written and PATH may be updated without any user-facing warning or confirmation in this code path. Silent persistence and command alias installation are unsafe because users may not understand that future invocations of ev or everything-cli will be redirected through this script.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script invokes PowerShell with ExecutionPolicy Bypass without any visible disclosure or trust prompt. Even if the referenced script is local, bypassing policy weakens a platform security boundary and is more concerning here because the skill advertises simple local search rather than script execution or installation behavior.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
"--match-path" {
                $options.MatchPath = $true
            }
            "--allow-empty" {
                $options.AllowEmpty = $true
            }
            "--json" {
Confidence
79% confidence
Finding
--allow-empty

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.