Back to skill

Security audit

Calculator

Security checks across malware telemetry and agentic risk

Overview

This is a local calculator skill whose files match its stated purpose, with a restricted eval-based math evaluator that users should avoid giving adversarial or extremely large expressions.

Install only if you are comfortable running a small local Python calculator script. Use it for ordinary calculations and conversions, and avoid untrusted, adversarial, or extremely large expressions because the evaluator relies on restricted Python eval rather than a fully resource-limited parser.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

eval() call detected

High
Category
Dangerous Code Execution
Content
if name not in allowed_names:
                return {"error": f"Unknown function or variable: {name}"}
        
        result = eval(code, {"__builtins__": {}}, allowed_names)
        
        # Format result
        if isinstance(result, (int, float)):
Confidence
71% confidence
Finding
result = eval(code, {"__builtins__": {}}, allowed_names)

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/calculator.py:71