Back to skill

Security audit

React Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This skill is a powerful agent orchestration library, but it needs review because it can run generated code and write files with the user's normal system permissions.

Review before installing. Use this only in an isolated workspace or container, with least-privilege environment variables, no sensitive files in scope, and explicit allowlists for tools. Treat Code Mode as arbitrary code execution, not a sandbox, and require separate confirmation for network calls, file writes, PowerShell, and any generated code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The document asserts that critical operations must require human approval, but the provided usage example performs external network access and generated-code execution without showing those actions being routed through the HITL approval path. This creates a security-design mismatch: operators may assume protections exist when, in practice, sensitive actions can proceed automatically.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The quick reference normalizes Code Mode as a performance optimization while showing execution of arbitrary JavaScript that can access the network and environment-based secrets. In an agent skill context, this encourages unsafe dynamic code execution without sandboxing, capability limits, or explicit warnings, which can lead to secret exfiltration or arbitrary actions.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The HITL section presents approval controls, but the troubleshooting example returns true unconditionally for approval requests. That guidance undermines the approval boundary and can train implementers to bypass human review for sensitive operations, defeating the purpose of HITL.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The code describes execution as a sandbox, but the JavaScript path spawns a normal Node.js child process and the PowerShell path spawns powershell.exe with inherited OS privileges. The child process also receives the parent environment, so generated code can read secrets, access the filesystem, and make network calls, making this effectively arbitrary code execution rather than sandboxing.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The engine selects and invokes any registered tool based on simple heuristics or even defaults to the first available tool, with no allowlist, capability gating, user confirmation, or task-to-tool authorization. In context, this is especially risky because the code explicitly supports execution-capable tools such as `powershell-sandbox`, so an untrusted query or misclassification can trigger command execution beyond the minimum necessary for the task.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The document proposes agent-to-agent remote calls, message forwarding, and file-operation capabilities without explicitly warning about data egress, trust boundaries, or destructive actions such as write/delete. In an agent skill context, this can normalize unsafe remote delegation and sensitive file operations, increasing the chance that future implementations expose files or transmit confidential context to other agents without adequate user awareness or approval.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The examples include outbound web requests and direct file writes but do not warn about data transmission, credential handling, path safety, or destructive side effects. In a quick-start document, omission of these cautions increases the likelihood that developers will expose sensitive data or permit unsafe file modification.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly advertises exporting full execution history as JSON, and elsewhere the history is described as containing the reasoning process, tool activity, and task traces. In an agent orchestration context, that history can easily include sensitive user prompts, internal chain-of-thought-style traces, retrieved data, and tool outputs, so encouraging export without any warning, minimization, or redaction guidance creates a realistic confidentiality risk.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The guide documents tools that perform networked search and file read/write actions, but it does not clearly warn users that task data may be sent to third-party services or that file operations can modify local state. In an agent skill, this omission can cause unsafe deployment decisions because operators may enable capabilities without understanding privacy and integrity risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file-write template directly writes arbitrary content to an arbitrary resolved path with no confirmation, policy enforcement, or path restriction. In this skill context, generated tool code may be influenced by model or user inputs, so this can overwrite application files, drop scripts, or modify sensitive configuration.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The component executes generated JavaScript and PowerShell in subprocesses, but the interface shown here does not impose meaningful safety boundaries or clear disclosure that arbitrary code/shell execution is occurring. Because the generated code can perform filesystem, network, and environment access, this behavior materially increases the risk of command execution and data exfiltration.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The Tavily search template sends user-supplied queries to an external service and uses an API key from the environment, but there is no explicit disclosure, consent flow, or data classification check. In an agent skill, prompts or tool parameters may contain sensitive data, so silent outbound transmission can leak confidential information.

External Transmission

Medium
Category
Data Exfiltration
Content
// Tavily 搜索
orchestrator.registerTool('tavily-search',
  async (params) => {
    const res = await fetch('https://api.tavily.com/search', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
Confidence
85% confidence
Finding
fetch('https://api.tavily.com/search', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
// Tavily 搜索
orchestrator.registerTool('tavily-search',
  async (params) => {
    const res = await fetch('https://api.tavily.com/search', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
Confidence
85% confidence
Finding
https://api.tavily.com/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
timeout: options.timeout || 300000, // 5 分钟
      onTimeout: options.onTimeout || null,
      // 自动批准模式(白名单)
      autoApprove: options.autoApprove || [],
      // 日志
      verbose: options.verbose || false,
    };
Confidence
86% confidence
Finding
autoApprove

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
timeout: options.timeout || 300000, // 5 分钟
      onTimeout: options.onTimeout || null,
      // 自动批准模式(白名单)
      autoApprove: options.autoApprove || [],
      // 日志
      verbose: options.verbose || false,
    };
Confidence
86% confidence
Finding
autoApprove

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
if (!this.options.enabled) return false;
    
    // 白名单:自动批准
    if (this.options.autoApprove.includes(toolName)) {
      this.log(`✅ 自动批准:${toolName} (白名单)`);
      return false;
    }
Confidence
92% confidence
Finding
autoApprove

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/code-mode.js:227