Back to skill

Security audit

Automate It

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly transparent, but it gives agents broad Automate It account control, including arbitrary MCP tool calls and immediate deletion/publishing-related actions.

Install only if you trust the publisher and are comfortable giving this skill an Automate It API key with the scopes you grant. Prefer a least-privilege key, avoid reviewer/admin scopes unless needed, keep human review enabled, and treat `ait call`, delete, clear-content, approve, publish, and automation commands as high-impact actions that should only be run after an explicit user request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The manifest frames this skill as a bounded interface for drafting, scheduling, publishing, and checking content tasks, but the implementation explicitly exposes `ait call <tool>` to invoke arbitrary MCP tools verbatim. That creates a capability mismatch: an agent or prompt that appears to use a limited content workflow can actually reach any server-exposed tool, including future or undocumented operations, bypassing the intended safety boundary.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The CLI exposes workspace listing and user identity discovery (`workspaces`, `whoami`) beyond the narrow content-task actions described in the skill summary. While these are not directly destructive, they expand the accessible data surface and can aid enumeration, targeting, or misuse of the broader Automate It environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `task delete` path directly maps user input to `delete_task` with no confirmation prompt, dry-run mode, or secondary acknowledgment. In an agentic setting, a mistaken instruction, prompt injection, or ambiguous task reference could cause irreversible deletion of workflow artifacts without any human checkpoint.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Both `task delete-content` and `task clear-content` execute destructive content removal immediately, without warning or confirmation. Because this skill is intended for content workflows, these commands are especially risky: they can wipe in-progress or review-ready material through accidental invocation or adversarial prompting.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.