Security audit

Arianna Incubator

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for Arianna orchestration, but it grants broad container/control-plane access and can persist or transfer sensitive session context in ways users should review first.

Review this skill before installing. Use it only if you understand and want Arianna container orchestration, and do not allow session-history seeding, Docker-level recovery, docker exec mutation, or prompt/model handoff notes unless you explicitly approve the exact data and command scope.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill claims all interaction should go through the `arianna` CLI, but later instructs the agent to use raw daemon HTTP endpoints and Docker commands for recovery and switching. This inconsistency expands the operational surface area, increases the chance the agent will bypass intended safety boundaries, and can lead to direct state manipulation outside the audited player interface.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The skill forbids `docker exec` and out-of-band intervention for in-loop work, but later authorizes Docker-level recovery, inspection, and even exceptional `docker exec`-based mutation. In a security-sensitive agent context, contradictory permission boundaries are dangerous because they normalize privilege escalation from a constrained gameplay interface into host/container administration.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The invocation criteria are broad enough to trigger on generic requests like 'play arianna' or 'run a vessel,' which could cause the agent to enter a high-impact orchestration workflow without sufficient contextual confirmation. Because this skill can bootstrap containers, manipulate profiles, and drive downstream integration, over-broad activation materially increases misuse risk.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The skill directs the agent to write a file into the user's home workspace without a clear warning or consent checkpoint. In agent systems, silent local file modification is risky because users may not realize the skill persists artifacts outside the immediate task context.

Ssd 3

High

Confidence: 96% confidence
Finding: The `own-jsonl-seed` mode instructs transferring the driver's prior session history into a new AI as bootstrap context. That is effectively cross-agent session persistence and context transfer, which can leak sensitive prior conversations, hidden instructions, credentials, or unrelated user data into a new execution environment.

Ssd 3

Medium

Confidence: 82% confidence
Finding: Instructing the agent to write operator-facing notes that may include model selection and system prompt overrides risks persisting sensitive control-plane configuration in a broadly accessible workspace file. System prompts and override settings can contain privileged operational details that should not be casually written to disk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.