Back to skill

Security audit

Stata Econ Workflow Publish

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Stata research workflow skill, but it needs review because it combines command execution with automatic persistent project-memory changes and broad activation language.

Install only if you want an agent to help manage Stata/econometrics projects and you are comfortable reviewing local commands before they run. Before using it, narrow the trigger language, require explicit approval before writing MEMORY.md/CLAUDE.md/TOOLS.md or installing packages, and remove or redact username logging from reproducibility logs that may be shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill exposes file-reading and shell-execution capabilities in its instructions but does not declare permissions or constraints. That creates a gap between apparent and actual capability, increasing the chance of unintended command execution, unsafe file access, or bypass of user/operator expectations during invocation.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes broad terms like study, paper, quality, template, workflow, and log, which can cause the skill to activate in unrelated contexts. Over-triggering is risky here because the skill contains shell and file-operation guidance, so accidental invocation could expose users to unintended operational suggestions or command paths.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill provides direct command examples for running do-files, installing packages, reading logs, and launching Stata, but it does not warn that these actions can modify the system, install software, or execute local code. In a skill that may be auto-invoked, omission of execution warnings materially raises the risk of unsafe or unexpected side effects.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The agent instructions are entirely in Chinese with no language choice or opt-in, which can prevent non-Chinese-speaking users or reviewers from understanding the skill’s behavior, limitations, and output requirements. In a security and research-review workflow, lack of comprehensibility reduces informed consent, hampers oversight, and increases the chance that unsafe or incorrect actions pass without effective human review.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The protocol instructs the agent to immediately write `[LEARN]` corrections into `.claude/MEMORY.md`, which is a persistent project file, without requiring explicit user consent at the time of modification. This creates an unauthorized state-changing side effect: a user correction during normal conversation can silently alter repository memory and influence future behavior, potentially enabling persistence of bad instructions or poisoning of project context.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The post-merge workflow directs creation of a new quality report file and execution of a local script, but does not warn that this will generate new artifacts in the workspace. While lower risk than hidden memory modification, it still authorizes unannounced file creation and workflow side effects that a user may not expect from advisory skill content.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The protocol explicitly instructs logging `c(username)` into a reproducibility log, which collects locally identifying system information without any minimization, warning, or opt-out. In a research replication workflow this is not an RCE-style flaw, but it does create unnecessary privacy exposure because logs are often shared, committed, or sent to reviewers.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The file tells users to invoke a skill with the everyday phrase "let's start on [your project]", which is broad and not uniquely tied to this specific Stata/econometrics workflow. Broad activation guidance can cause accidental triggering in normal conversation, leading the agent to load project rules, tools, or workflow behavior in contexts the user did not explicitly intend. In a skill that can drive analysis workflows and interact with execution-oriented tooling, that ambiguity increases the chance of unintended actions or scope escalation.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The template explicitly permits `Bash` in allowed tools and later encourages command-execution workflows, but does not require an explicit user-facing warning, justification, or safety boundary for shell use. In an agent skill ecosystem, this can normalize overly broad command execution and increase the chance that downstream skills run destructive, privacy-impacting, or unreviewed commands.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.