Back to skill

Security audit

Bash Themes

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly harmful, but its advertised Bash theme purpose does not match the runnable developer-workflow script, so it should be reviewed before installation.

Install only if you are comfortable with a package whose description and implementation do not currently match. Verify which script the bash-themes command will run, avoid passing sensitive text as arguments because they may be logged locally, and treat the auto-update and Bash-theme-management claims as unsupported by the included code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The script’s declared behavior and help text present it as a generic developer workflow tool, which materially contradicts the skill metadata claiming an Oh My Bash/bash-configuration framework. This kind of capability mismatch is dangerous because users may install or trust the skill under false assumptions, reducing scrutiny and enabling unwanted data collection or later expansion of behavior under a misleading label.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The inline documentation explicitly describes developer workflow automation rather than bash configuration management, reinforcing a deceptive or at least misleading presentation of the skill. In a plugin/skill ecosystem, this context makes the mismatch more dangerous because users choose skills based on manifest purpose and may grant trust or execution they would not give to an unrelated tool.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The listed command triggers are extremely broad and lack constraints, arguments, or safety boundaries, which increases the chance that an agent will route unrelated user requests into this skill. In an agent context, ambiguous triggers can cause unintended command execution paths and make abuse easier because the operator cannot clearly tell what actions are in scope.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Advertising an auto-update capability for a shell-related tool without warning users that local bash configuration or related files may be modified creates unsafe expectations. Users may authorize the skill believing it is informational, when it may instead alter persistent shell state or fetch updates automatically, which is especially risky in terminal environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The logging helper writes command names and user-supplied arguments to a persistent history file under the user’s data directory without notice, consent, redaction, or retention controls. This can expose sensitive project names, tokens, internal paths, or other secrets passed as arguments, and the deceptive skill context makes the collection less expected and therefore riskier.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.