Ray Delivery Diagnosis

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent recovery automation, but it can automatically publish externally and mutate operational state on a schedule without clear per-action approval.

Install only in a trusted workspace where the referenced scripts and credentials are already reviewed. Treat this as live operations automation, not read-only diagnosis: require human approval before social posts, blog publishing, activation batches, or deployment-affecting commands, and use least-privileged accounts with clear rollback and audit controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The template is presented as a diagnosis workflow, but it embeds instructions to publish social content, deploy blog changes, and execute operational scripts. In an agent setting, this mixes inspection with side-effecting actions, creating a real risk that a diagnosis run could trigger unauthorized publication, deployment, or system changes without explicit approval gates.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The file is framed as a passive 'Delivery Diagnosis Template' but instructs the operator/agent to perform active remediation such as publishing posts, retrying platform actions, writing receipts, and updating ticket state. This mismatch is dangerous because an agent may be granted the skill under the assumption it only audits state, while it actually authorizes impactful operational behavior.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs writing diagnosis files, updating recovery tickets, and modifying runner logs, but it does not present a clear, prominent warning that these actions mutate repository and operational state. In an agent context, silent state changes can cause unintended workflow corruption, false escalation states, or overwrite operational records if invoked without deliberate user approval.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill contains concrete instructions to publish to external platforms and perform deployment-related actions, including running blog and social publishing scripts, but lacks a prominent warning that these are live side-effecting operations. In practice, this could cause unintended public posts, production changes, or brand-impacting actions if an agent executes the workflow automatically or on malformed input.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The markdown includes actionable instructions to publish to social platforms, run deployment-related scripts, update tickets, and write files to disk, but provides no user-facing warning that these actions can change external systems. Without visibility into impact, an agent or operator could execute irreversible actions unintentionally during what appears to be a routine diagnostic process.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal