Back to skill

Security audit

temporal-python-testing

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Temporal testing guide, but it normalizes copying production workflow histories into local files and CI without enough data-protection guardrails.

Install only if your team understands Temporal replay testing and will adapt the examples. Prefer sanitized or non-production histories. Export production histories only with explicit authorization, least-privilege read-only access, redaction or minimization, protected storage, short retention, and controls preventing raw histories from being committed or uploaded as CI artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The guide includes runnable examples that connect to production Temporal infrastructure and bulk-export workflow histories to local files. Workflow histories often contain business data, identifiers, inputs, and execution details, so normalizing production export in a testing skill can lead to unnecessary data exfiltration, over-collection, or insecure local storage if copied into developer machines or CI systems.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The CI/CD example automates pulling recent production histories and storing them in files/artifacts, which expands the exposure surface from the Temporal cluster to build runners and artifact storage. In a testing-focused skill, this is risky because CI environments are commonly shared, less tightly controlled than production, and prone to accidental retention or broad access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The section encourages exporting production workflow histories without warning that those histories may contain sensitive operational or customer data. Omitting privacy and data-handling caveats in security-relevant guidance increases the chance that users will copy production data into local files, repositories, or shared systems without appropriate safeguards.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The CI/CD guidance recommends downloading and processing production histories in automation but does not address privacy, least privilege, artifact leakage, or retention. This omission is dangerous because CI pipelines frequently replicate data across logs, caches, workspaces, and artifact stores, amplifying the blast radius of any sensitive history content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.