Back to skill

Security audit

Auto Skill Evolver

Security checks across malware telemetry and agentic risk

Overview

This skill can run user-chosen commands and propose changes to other skills, but that behavior is clearly disclosed, purpose-aligned, and gated before applying edits.

Install only if you intentionally want a tool that can run local training commands and modify skill files after approval. Use it in a development workspace, review the full diff before applying, prefer hash approval over a plain yes token, restrict --allowed-skill-roots, and avoid traces or feedback that contain credentials or sensitive private data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
args = parse_safe_command(command)
    print(f"Executing (safe argv): {args}")
    try:
        result = subprocess.run(args, shell=False, check=True, capture_output=True, text=True)
        return result.stdout, result.stderr
    except subprocess.CalledProcessError as e:
        print(f"Command failed with error: {e}")
Confidence
92% confidence
Finding
result = subprocess.run(args, shell=False, check=True, capture_output=True, text=True)

Tainted flow: 'username' from os.environ.get (line 117, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
# 1. Break inheritance and remove existing permissions
                subprocess.run(['icacls', path, '/inheritance:r'], check=True, capture_output=True)
                # 2. Grant full control to current user
                subprocess.run(['icacls', path, '/grant:r', f'{username}:(OI)(CI)F'], check=True, capture_output=True)
                
        else:
            # Linux/Mac: chmod 700 (rwx------)
Confidence
78% confidence
Finding
subprocess.run(['icacls', path, '/grant:r', f'{username}:(OI)(CI)F'], check=True, capture_output=True)

Tainted flow: 'username' from os.environ.get (line 117, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
username = os.environ.get("USERNAME")
            if username and os.path.exists(path):
                subprocess.run(["icacls", path, "/inheritance:r"], check=True, capture_output=True)
                subprocess.run(["icacls", path, "/grant:r", f"{username}:F"], check=True, capture_output=True)
        else:
            if os.path.exists(path):
                os.chmod(path, 0o600)
Confidence
78% confidence
Finding
subprocess.run(["icacls", path, "/grant:r", f"{username}:F"], check=True, capture_output=True)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script reads an execution trace file or falls back to stdout/stderr, then persists that data for downstream optimization without any user-facing warning, consent step, or sanitization. Execution traces commonly contain prompts, credentials, file paths, tokens, personal data, or proprietary content, so this creates a meaningful sensitive-data exposure risk in a self-training pipeline.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.