Argument Selfloop

Security checks across malware telemetry and agentic risk

Overview

The skill’s main script is a local writing checker, but the package also bundles broad workflow pipelines and runner code that are much wider than the advertised argument self-loop purpose.

Install only if you intentionally want the broader research pipeline bundle, not just a narrow argument checker. Use version control, review generated diffs and output files, and avoid enabling automatic routing or shell-backed pipeline execution unless you understand the workspace-wide changes it may make.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (14)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: log_path = workspace / log_rel try: completed = subprocess.run(cmd, check=False, capture_output=True, text=True) if completed.stdout or completed.stderr or completed.returncode != 0: ensure_dir(log_path.parent) body = [
Confidence: 91% confidence
Finding: completed = subprocess.run(cmd, check=False, capture_output=True, text=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill declares no permissions, yet its contents explicitly direct execution of a Python script and modification of workspace files, implying file read, file write, and shell capabilities. This mismatch is dangerous because the runtime may grant capabilities that are invisible to policy reviewers, weakening least-privilege controls and making unintended filesystem changes harder to audit.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: This file acts as a general workflow executor that runs skill scripts, which is inconsistent with the manifest for an argument-ledger/self-consistency tool. Capability mismatch is security-relevant because users and higher-level systems may grant this skill access assuming low-risk text analysis, while the implementation can trigger code execution and state transitions across the workspace.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The code primarily manages pipeline execution, status mutation, approvals, rerouting, and downstream invalidation rather than maintaining an argument ledger or premise consistency report. This deception-by-mismatch increases danger because operators may trust the skill in contexts where only document analysis should occur, but the code can alter workflow state and invoke other components.

Scope Creep

Medium

Confidence: 95% confidence
Finding: The code updates UNITS.csv, STATUS.md, DECISIONS.md approval state, and checkpoint metadata, which is far broader than the declared intermediate-artifact scope of an argument ledger. In a mis-scoped skill, these mutations can silently advance workflow state, mark items DONE, or alter approval records in ways users would not expect.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file’s core behavior is a full research-ideation pipeline that parses briefs, clusters notes, builds direction cards, scores them, and generates reports, which materially exceeds the declared skill purpose of argument-ledger and premise-consistency checking. In an agent skill system, this kind of capability mismatch is dangerous because a user invoking a constrained self-check tool could instead trigger broad content-generation and workspace-shaping behavior that bypasses expected guardrails and review assumptions.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code actively synthesizes new research directions, prioritizes them, and produces brainstorm memos, which is not a passive consistency check but a generative planning capability. In this skill context, that is more dangerous because the manifest explicitly says the intermediate artifact must never be inserted into the paper and the skill should prevent hollow writing, yet the implementation instead creates novel agenda-setting content that could contaminate drafts, mislead downstream agents, or cause unauthorized scope expansion.

Scope Creep

Medium

Confidence: 90% confidence
Finding: The helper functions support writing arbitrary JSON, JSONL, and Markdown artifacts into the workspace, enabling this skill to persist outputs far beyond the narrow intermediate argument-ledger/report scope described in metadata. In a mismatched skill, broader write capability increases the blast radius: even if the content is not directly malicious, it can overwrite or introduce authoritative-looking artifacts that downstream automation may trust or merge.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file implements a broad, centralized policy engine covering many unrelated pipeline stages, despite the skill being described as an argument self-loop focused on argument ledgers and premise consistency. This mismatch gives the skill authority over far more artifacts and workflow decisions than users would reasonably expect, increasing the blast radius of mistakes or malicious modifications and enabling hidden denial-of-service over the entire pipeline.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Including unrelated capabilities like ideation auditing, PDF extraction/build checks, and other broad artifact validation inside this file creates hidden privilege and behavior beyond the declared skill purpose. In a security context, unjustified capability aggregation is dangerous because it allows a supposedly narrow skill to inspect or gate unrelated assets, making abuse, unexpected side effects, and policy bypass harder to detect.

Scope Creep

Medium

Confidence: 91% confidence
Finding: The module writes `output/QUALITY_GATE.md` and appends history, which exceeds a narrow 'intermediate ledger/report' expectation for an argument self-loop and creates persistent side effects across the workspace. If this skill is trusted as read-mostly or narrowly scoped, these writes can overwrite audit context, create storage growth, and influence downstream automation that consumes the generated report.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The skill instructs the agent to apply fixes directly to `sections/*.md`, which alters user-authored content, but it does not include an explicit warning or confirmation step before making those edits. In this context the edits are part of the skill's intended function, so the risk is limited, but silent modification can still cause unexpected overwrites, loss of author intent, or hard-to-review changes.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The pipeline advertises very broad routing hints for generic survey/review requests and also sets itself as the default route, which increases the chance that it is selected for loosely related prompts without an explicit user opt-in. In this context, misrouting matters because the pipeline is large, stateful, and designed to create and modify many workspace artifacts across multiple stages, so accidental activation can trigger substantial unintended work or file changes.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The pipeline enables shell-related pre-retrieval behavior while exposing no clear user-facing warning that commands may run and workspace files may be created or modified. Even though `approval_surface: false` suggests reduced prompting rather than direct malice, the combination of automation plus hidden side effects is risky because users may not realize that selecting this pipeline can mutate the workspace before they explicitly approve those actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal