Back to skill

Security audit

SourceHarbor Watchlist Briefing

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only SourceHarbor briefing skill, with disclosed MCP/HTTP setup and no hidden code, but users should treat the optional send/run capabilities cautiously.

Install this only if you trust your SourceHarbor MCP/API setup. Review the external SourceHarbor repository before running its MCP server, keep the API base URL pointed at a trusted local endpoint, and require explicit user approval before any report is sent or workflow is run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The capability map grants access to `sourceharbor.reports.daily_send` and `sourceharbor.workflows.run`, which exceed the skill's stated purpose of answering a single operator question with current context and evidence. Even without explicit abuse instructions, exposing action-oriented capabilities increases the chance of unintended report dispatches or workflow execution if the agent misinterprets prompts or is prompt-injected through retrieved content.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The document says the skill should not drift into subscription or notification changes, yet it includes a report-sending capability that can create outbound side effects. This mismatch weakens operator expectations and makes the skill more dangerous in context, because a user may assume read-only behavior while the agent still has tools capable of sending reports or initiating broader actions.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The capability map grants access to `sourceharbor.reports.daily_send` and `sourceharbor.workflows.run`, which are action-oriented capabilities not required for the stated task of answering a single operator question from one watchlist. Including broader write/execute surfaces increases the chance of prompt abuse, accidental side effects, or privilege misuse if downstream instructions steer the agent into sending reports or triggering workflows.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase "operator question" is overly broad and can cause this skill to activate in many unrelated contexts where an operator merely asks a question. That increases the chance of unintended invocation, causing the agent to pull SourceHarbor context or shape responses when the user did not explicitly request this workflow, which can lead to inappropriate data exposure or workflow confusion.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.