Security audit

skills creator

Security checks across malware telemetry and agentic risk

Overview

This skill is a high-capability skill-generation and testing framework whose local code execution and external data flows are under-scoped and partly misleading.

Install only if you are comfortable reviewing and running a local skill-generation framework. Do not use its local testers on untrusted or newly generated code unless you add real isolation, prefer Docker or a VM with no host mounts and no network, and verify path containment before writing generated skills. Treat DeepSeek or other configured LLM calls as external data sharing and avoid sending proprietary code, secrets, or sensitive task text without redaction and consent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (23)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if test_input: # 带输入执行 result = subprocess.run( ['python', temp_file], input=test_input, capture_output=True,
Confidence: 97% confidence
Finding: result = subprocess.run( ['python', temp_file], input=test_input, capture_output=True, text=True,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: timeout=self.timeout ) else: result = subprocess.run( ['python', temp_file], capture_output=True, text=True,
Confidence: 97% confidence
Finding: result = subprocess.run( ['python', temp_file], capture_output=True, text=True, timeout=self.timeout

compile() call detected

Medium

Category: Dangerous Code Execution
Content: try: # 编译代码 compiled = compile(code, '<skill>', 'exec') # 执行代码 exec(compiled, namespace)
Confidence: 98% confidence
Finding: compiled = compile(code, '<skill>', 'exec')

exec() call detected

High

Category: Dangerous Code Execution
Content: compiled = compile(code, '<skill>', 'exec') # 执行代码 exec(compiled, namespace) # 查找技能类 skill_class = None
Confidence: 99% confidence
Finding: exec(compiled, namespace)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill advertises and instructs use of scripts that imply shell execution plus file read/write and possible environment access, but it declares no permissions or safety boundaries. This creates a trust gap: an agent may invoke powerful local operations without explicit user visibility, increasing the risk of unauthorized file modification, data exposure, or command execution.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The class is presented as a sandbox, but it is not a security boundary: it only writes code to a temp file and runs it with a timeout. In a skill whose purpose is to generate and test code automatically, this misleading framing is especially dangerous because users may trust it to safely evaluate adversarial or AI-generated code.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The constructor accepts a memory_limit parameter but never applies it, creating a false sense of protection. Malicious or buggy code can consume excessive memory, causing denial of service or instability on the host running the tests.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The module advertises 'secure sandbox execution', but the SimpleTester implementation executes arbitrary code locally using exec with full builtins. This security misrepresentation is dangerous because it can lead users to run hostile skills under false assumptions, increasing the likelihood of host compromise.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The code claims to create an 'isolated namespace', but a custom globals dict does not isolate Python code from dangerous builtins or imports. Untrusted code executed this way can still access the runtime and host resources, so the implementation does not meet its stated safety properties.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The script globally overrides `HF_ENDPOINT` to use a third-party mirror for all Hugging Face downloads. This introduces a software supply-chain risk because model artifacts and metadata are fetched from an alternate endpoint outside the default trust path, and the change applies process-wide without validation, pinning, or user opt-in. In a skill-generation framework that may be used to scan, generate, and test code, pulling unverified ML assets from a mirror is more dangerous than in a one-off local utility.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger conditions are broad phrases like creating a skill factory or needing to retrieve/generate/evaluate skills, which overlap many normal development tasks. An overly broad trigger can cause unintended invocation of a high-capability skill, leading to unnecessary code generation, file operations, or shell-backed workflows in contexts where the user did not explicitly request them.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The description field is explicitly used for semantic vectorization and retrieval, but the template only asks for a broad functional description and does not require clear activation boundaries, exclusions, or misuse constraints. In a meta-skill that scans, generates, and retrieves other skills, overly generic descriptions can cause incorrect semantic activation or retrieval of an unintended skill, which can route sensitive or high-impact tasks to the wrong logic.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrase "alarm" is overly broad and can match common conversational use unrelated to setting reminders, increasing the chance of accidental invocation. In an auto-generated skill framework, broad triggers are more dangerous because they can cause the wrong skill to activate frequently, leading to confusing behavior or unintended actions.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The listed trigger phrases are underspecified and do not define activation boundaries, exclusions, or example intents, which makes the skill prone to trigger collisions with other time, scheduling, or general assistant capabilities. Because this skill is generated automatically and appears incomplete ("使用方法（待完善）"), the lack of scope constraints increases the risk of misrouting user requests or invoking the skill in unintended contexts.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code sends raw task descriptions and enumerated installed skill metadata to an external LLM service (`deepseek-chat`) without any consent gate, redaction step, or disclosure mechanism. In a skill-generation/orchestration framework, tasks and skill names may contain sensitive business context, secrets, internal capabilities, or user data, so this creates a real confidentiality and data-governance risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The optimizer transmits `original_code`, `error`, and expected output to an external LLM service, which can expose proprietary source code, secrets embedded in code, stack traces, or sensitive business logic to a third party. In a skill-generation framework, this is more dangerous because the input is likely to be arbitrary user or repository code, making unintentional data exfiltration a realistic risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code sends the user's raw task text and internally discovered skill identifiers to an external LLM service without any consent gate, redaction step, or disclosure in this component. If user tasks contain sensitive business data, credentials, personal information, or internal workflow names, that information may be exposed to a third-party provider and logged or retained outside the local trust boundary.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The function writes provided code to disk and executes it immediately with no approval gate, provenance check, or user warning. In this skill context, which is explicitly for generating and testing skills, the code source is likely dynamic and potentially adversarial, making silent execution materially risky.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The find-skills entry describes activation on very common phrases like 'how do I do X' and 'is there a skill that can...', which can cause the skill to trigger across a wide range of ordinary user requests. In a skill-dispatch system, overly broad routing increases the chance of untrusted skill discovery or installation flows being invoked when the user did not explicitly ask for them, expanding attack surface and enabling prompt/behavior hijacking via skill selection.

Vague Triggers

Low

Confidence: 79% confidence
Finding: The proactive-agent description promotes activation based on 'anticipate needs' and 'continuously improve', which is ambiguous and can justify unsolicited invocation beyond the user's stated request. In context, this is risky because proactive/autonomous behaviors often combine with memory, scheduling, or external actions, so vague triggers can lead to unnecessary autonomy and unexpected side effects.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The find-skills entry is described as triggering on very broad, everyday phrasing such as generic how-do-I requests and capability questions. In a skill ecosystem, that can cause unintended invocation and skill-installation prompts in contexts where the user did not explicitly ask to search for or install skills, expanding the agent's behavior surface and potentially steering users toward untrusted functionality.

Ssd 1

Medium

Confidence: 90% confidence
Finding: The planner injects user-controlled task text directly into the LLM prompt context, allowing a malicious user to embed adversarial instructions such as telling the model to ignore system guidance, fabricate JSON, or choose a specific routing outcome. Because the LLM output directly influences whether the system reuses existing skills, composes skills, or generates new ones, prompt injection can manipulate control flow and potentially trigger unsafe downstream actions.

Self-Modification

High

Category: Rogue Agent
Content: skill_dir = GENERATED_DIR / skill_data["name"] skill_dir.mkdir(parents=True, exist_ok=True) # Write SKILL.md skill_file = skill_dir / "SKILL.md" skill_file.write_text(skill_data["content"], encoding="utf-8")
Confidence: 91% confidence
Finding: Write SKILL

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal