Back to skill

Security audit

slim

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed command-output filter with an optional user-invoked command wrapper and no evidence of hidden persistence, credential access, exfiltration, or destructive behavior.

Install only if you want an agent-facing CLI filter that can reduce large command output. Use pipe mode when you only want filtering, and use wrapper mode only for commands you would already be comfortable running locally; re-run without slim when complete output matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run(cmd: str, cwd: str) -> str:
    p = subprocess.run(cmd, shell=True, cwd=cwd, capture_output=True, text=True)
    return p.stdout + p.stderr
Confidence
95% confidence
Finding
p = subprocess.run(cmd, shell=True, cwd=cwd, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation advertises and demonstrates shell execution capability (`slim --report -- git log -p -8`) and requires `bash`/`python3`, yet no explicit permissions model is declared. In an agent environment, hidden or undeclared shell/network-capable behavior reduces operator visibility and can lead to unintended command execution or use in riskier contexts than expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared purpose presents the skill as a passive output filter, but the documented exec-wrapper mode means it can actively execute arbitrary local commands and return their filtered output. That mismatch is dangerous because users or higher-level agents may trust and auto-invoke it as a harmless formatter, while it actually expands the attack surface to local command execution and potentially benchmark scripts that run in real directories.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
def run(cmd: str, cwd: str) -> str:
    p = subprocess.run(cmd, shell=True, cwd=cwd, capture_output=True, text=True)
    return p.stdout + p.stderr
Confidence
93% confidence
Finding
subprocess.run(cmd, shell=True

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.