Maxwell Fea Simulation

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly local Maxwell simulation guidance, but its post-processing script can produce demo results while appearing to analyze user CSV data.

Review before using for real engineering decisions. The reference material and checklist are ordinary local guidance, but do not rely on maxwell_post_processor.py for real CSV analysis unless you first verify or modify it to read the input files and clearly label whether outputs are demo data or simulation-derived results.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script advertises processing user-supplied Maxwell result CSV files, but the implemented CLI path ignores those inputs and instead generates synthetic demo data. In an engineering analysis skill, this can silently produce fabricated outputs that users may trust as real simulation post-processing, leading to incorrect design, validation, or reporting decisions.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The documentation claims support for file-based back-EMF analysis using --theta and --flux, but those options and workflow are not implemented. This mismatch is dangerous because users may rely on unsupported analysis paths in a safety- and quality-sensitive simulation context, causing silent misuse, failed automation, or substitution with non-real demo outputs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal