auto-workflow

Security checks across malware telemetry and agentic risk

Overview

This appears to be a workflow automation skill, but it gives workflows broad command, file, network, and environment-variable power without enough guardrails.

Install only if you trust the workflow files you will run and are comfortable reviewing them like code. Avoid running untrusted workflows, do not rely on dry-run unless verified, and run it in a restricted directory or sandbox with only the specific environment variables needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: timeout = params.get('timeout', CONFIG['timeout']) try: log(f" 执行：{cmd}", 'info', 2) result = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=timeout ) if result.returncode == 0:
Confidence: 99% confidence
Finding: result = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=timeout )

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Implementing a 'shell.exec' action allows arbitrary OS command execution from workflow definitions. In a skill that can run custom workflows, this becomes a direct command-injection and remote-code-execution primitive if untrusted or user-influenced workflow content is processed.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The variable expansion logic iterates through all environment variables and substitutes them into workflow parameters. This creates a secret-exposure path because any workflow action that logs, saves, uploads, or posts expanded values can leak tokens, credentials, or internal configuration.

Context-Inappropriate Capability

High

Confidence: 92% confidence
Finding: The engine exposes a generic shell.exec action, giving workflows arbitrary command execution capability rather than only bounded automation primitives. Because the skill is designed for automated execution of preset or custom workflows, this greatly increases the blast radius and turns workflow data into executable code.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The variable expansion logic iterates over all environment variables and substitutes them into workflow parameters, exposing ambient secrets such as API keys, tokens, and internal system context. In combination with http.post, file writes, logs, or shell execution, workflows can silently exfiltrate sensitive values.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The CLI advertises a --dry-run mode, but the program does not parse or enforce it before performing file deletion, network requests, archive extraction, or shell execution. Users may rely on the documented safety control and unintentionally trigger destructive or unsafe real operations.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad enough to cause accidental invocation of a skill that can delete files, access networks, and execute shell commands. In this context, unintended activation materially increases the chance of destructive or privacy-impacting actions without clear user intent.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation promotes destructive and data-affecting automation such as backup, cleanup, upload, and file operations without explicit warnings, dry-run guidance, or confirmation requirements. In a workflow engine, normalizing these actions without safeguards can lead to accidental data loss or unintended data transfer.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Sensitive environment variables are expanded into arbitrary strings without user warning, consent, or scoping, making accidental credential disclosure likely. Since expanded values can flow into URLs, POST bodies, output files, notifications, and logs, this is a practical secret-leak path.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal