Security audit

mx-auto

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches a local Runtime automation helper, but it also ships under-disclosed cloud command and cloud-token handling paths that deserve review before installation.

Install only if you trust the publisher and need local Runtime automation. Expect it to read local Runtime admin credentials, contact localhost Runtime APIs, and run triggers or scripts that may change app state. Review or remove the cloud dispatch script and avoid storing cloud tokens in preferences unless you intentionally accept that unsupported remote command path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (20)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill exposes shell and environment-driven execution paths but does not declare permissions, which weakens reviewability and informed consent for a capability that can execute local commands. In this context, the skill is explicitly a router for running triggers and scripts, so the behavior is expected, but the missing declaration still creates a real security transparency gap that could lead users or higher-level policy systems to under-scope the risk.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 84% confidence
Finding: The documented purpose presents the skill as a lightweight local-runtime entrypoint, but the detected behavior expands into persistent state management, endpoint probing, cached data storage, and even cloud/remote execution logic. That mismatch is dangerous because operators may authorize the skill under a narrower mental model than what it can actually do, increasing the chance of unintended persistence, broader data exposure, or remote action paths being used without adequate scrutiny.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script automatically discovers a runtime management token from environment variables and local admin-token files, giving it access to a privileged credential without explicit user confirmation. In a skill advertised as read-only browser inspection, this expands capability beyond passive inspection and creates a sensitive credential-handling path that could be abused if the script or endpoint behavior changes.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill description frames this as read-only inspection, but the implementation performs authenticated POST requests to a runtime browser endpoint. Even if the current actions are intended to be non-destructive, using an authenticated action interface increases trust requirements and creates a mismatch between declared and actual behavior.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script performs authenticated remote cloud command dispatch and polling against a device using a bearer token, which materially exceeds the skill's stated purpose of local runtime automation and read-only browser sandbox inspection. This capability mismatch is dangerous because users or reviewers may grant trust based on a local/read-only description while the code can trigger remote actions on cloud-managed devices.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code constructs and sends a remote command envelope containing deviceId, command, and commandId to a cloud API, enabling command execution outside the local environment despite the skill being described as local and read-only. In this context, that hidden remote execution path is especially risky because it can be used to operate on external devices under misleading expectations about the skill's safety boundary.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This script performs persistent state mutation well beyond read-only inspection: it can set, unset, and delete preference data and snapshots, including via apply-recommended and clear operations. That is a real scope mismatch because users or higher-level tooling relying on the manifest description may grant or invoke the skill under the assumption that it only inspects state, while it can actually reconfigure runtime behavior and erase stored data.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The script manages cloud connectivity settings, including defaultCloudToken, and exposes them through generic get operations while only partially masking them in show. In a skill advertised mainly for local runtime triggers and read-only sandbox inspection, handling and retrievability of cloud credentials expands the trust boundary and can enable credential disclosure or unintended remote-control configuration.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script automatically discovers a privileged runtime admin token from environment variables or an on-disk state directory, then uses it to dispatch commands. In an agent-skill context, this materially increases risk because invoking the skill can silently escalate from ordinary local automation to privileged Runtime administration without an explicit consent boundary.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script's advertised capability includes listing and showing scripts, but it also invokes the local dispatcher to execute a named script with caller-supplied input. In a skill context, exposing execution of local App scripts materially increases risk because it can trigger arbitrary pre-existing automation with local side effects, not just perform read-only inspection.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script automatically discovers a runtime admin token from environment variables or a local state file and uses it to access privileged runtime APIs. Silent credential harvesting from local state broadens access beyond the user's explicit input and can let the skill operate with admin privileges over the local runtime.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill documentation encourages running triggers and local scripts without warning that these actions may execute arbitrary local code or modify application/system state. Because this skill is specifically positioned as an automation entrypoint, users are more likely to invoke commands directly, so omission of execution-risk warnings materially increases the chance of unsafe use.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The documented helper includes commands that write persistent preferences, but the documentation does not warn that configuration will be modified on disk. While lower impact than arbitrary script execution, silent persistence can still affect future runs, redirect runtime targets, or change trust-sensitive defaults in ways the user does not expect.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script reads management tokens from multiple sensitive locations silently, without telling the user that privileged credentials are being accessed. This is dangerous because it reduces user awareness of secret handling and makes it easier for a seemingly harmless inspection tool to inherit broader administrative access than expected.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The script sends an Authorization bearer token and browser-related data to an HTTP endpoint without any warning or confirmation to the user. Although the default target is localhost, transmitting privileged credentials and tab/snapshot content still carries exposure risk if the endpoint is redirected, proxied, or unexpectedly reachable by other local software.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The clear subcommand deletes the entire preferences file immediately with rm -f and no confirmation, backup, or dry-run behavior. This creates a real integrity and availability risk because an accidental invocation can silently erase configuration and snapshots, disrupting runtime behavior and making recovery difficult.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script reads an admin token from environment or disk and transmits it in an Authorization header without any user-facing notice. Even if sent only to localhost, silent use of a sensitive credential is dangerous in a delegated automation setting because users may not realize the skill is operating with administrative authority.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script sends user-supplied payload data in an authenticated POST to a privileged local command endpoint, enabling execution of triggers or scripts under admin context. In this skill’s context, that is more dangerous than a generic POST because the payload directly controls privileged local actions and may be influenced by untrusted prompt input.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code discovers an admin token and immediately uses it in authenticated curl requests to the runtime without any user-facing notice or consent boundary. In this skill, that is more dangerous because the runtime endpoints control local automation, so hidden privileged API use can enumerate and later help execute sensitive local workflows.

External Transmission

Medium

Category: Data Exfiltration
Content: DISPATCH_URL="$(join_url "$BASE_URL" "$DISPATCH_PATH")" log "dispatching target=$TARGET commandId=$COMMAND_ID" dispatch_raw="$(curl -sS -w $'\n%{http_code}' -X POST \ -H "Authorization: Bearer $TOKEN" \ -H 'Content-Type: application/json' \ -d "$ENVELOPE_JSON" \
Confidence: 87% confidence
Finding: curl -sS -w $'\n%{http_code}' -X POST \ -H "Authorization: Bearer $TOKEN" \ -H 'Content-Type: application/json' \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/preflight_check.sh:412