Back to skill

Security audit

Spm V4 Push

Security checks across malware telemetry and agentic risk

Overview

This is a local project-management skill that creates tracking files and audit logs as part of its stated purpose, with some quality and scoping caveats but no evidence of hidden exfiltration or destructive behavior.

Install only for repositories where you want SPM to create and maintain local project-management files. Use explicit prompts such as "use SPM for this project," review changes before committing, do not store secrets in the WBS ledger or event logs, and do not rely on its security gate or Merkle wording as a complete sandbox or forensic guarantee.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly instructs shell execution and filesystem mutation (`mkdir`, `echo`, `shasum`, `cat`, `awk`) while declaring no permissions. That creates a transparency and policy-enforcement gap: users or platforms may not realize the skill can modify the workspace and execute commands, increasing the chance of unintended side effects or unsafe execution.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The command is documented and presented as a health check, but it later performs a write to the event store and rotates the audit domain. That mismatch can cause unexpected state changes, making operators trust a supposedly read-only diagnostic command that actually mutates project data.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The comment says the code will clean up a test event, but `store.rotateDomain('audit')` appears to rotate the entire audit domain rather than delete only the synthetic test record. In a diagnostic command, that can destroy or archive legitimate audit history unexpectedly, undermining integrity and forensic value.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
`getCheckpoint` is named and documented as returning a checkpoint heartbeat, but it actually returns the nearest heartbeat by time regardless of whether it represents a checkpoint. In a session recovery system, this can cause restoration from an unstable or in-progress state, leading to incorrect task reconstruction, state corruption, or unsafe continuation decisions by downstream orchestration logic.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The module claims to implement a Merkle tree with pinpoint tampering detection, but it actually computes a single hash over concatenated leaf hashes rather than building hierarchical parent nodes. This mismatch can mislead downstream consumers into assuming Merkle-style inclusion proofs or localized verification properties that the implementation does not provide, weakening integrity assurances in a security-sensitive project-management or attestation workflow.

Vague Triggers

High
Confidence
92% confidence
Finding
The activation criteria are broad enough to trigger on ordinary terms like 'project', 'engineering', 'development', or 'implementation', causing the skill to take over routine requests unexpectedly. In context, this is risky because activation leads directly to structured workflow changes and possible shell/file actions, so an overbroad trigger can cause unnecessary workspace modification and agent overreach.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs immediate creation of directories and files in the user's workspace without warning or explicit consent. In an agent setting, silent mutation of `docs/spm`, `.spm`, `src`, and `tests` can alter repository state, interfere with existing layouts, and create audit or integrity artifacts the user did not request.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This health-check path writes a synthetic audit event and performs rotation without clearly warning the user in the command description or interface. Undisclosed side effects in a diagnostic tool increase the chance of accidental data modification during routine maintenance.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The transition rule permits movement from any phase to any other phase under the unconditional condition "always", effectively disabling the lifecycle state machine. In a project-management engine that orchestrates subagents and enforces quality and security gates, this can allow required review, planning, or verification phases to be skipped, weakening process integrity and enabling unsafe actions to proceed unchecked.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This hook automatically injects WBS ledger state into every downstream tool invocation, which can expose internal task metadata, file paths, and project workflow details to tools that do not need that information. Because the injection is unconditional and there is no consent, scoping, or sensitivity filtering in this file, it creates an unnecessary cross-tool data exposure channel that could leak sensitive context to untrusted or over-privileged tools.

External Script Fetching

High
Category
Supply Chain
Content
reason: "Direct block device write"

  # ── Risky (warn user) ───────────────────────────────────────────────
  - pattern: "^curl .*\\| sh$"
    level: risky
    action: warn
    reason: "Remote code execution via pipe to shell"
Confidence
86% confidence
Finding
curl .*\\| sh

External Script Fetching

High
Category
Supply Chain
Content
action: warn
    reason: "Remote code execution via pipe to shell"

  - pattern: "^bash <\\(curl "
    level: risky
    action: warn
    reason: "Remote code execution via process substitution"
Confidence
85% confidence
Finding
curl " level: risky action: warn reason: "Remote code execution via process substitution" - pattern: "^git push --force" level: risky action: warn reason: "Force push may ov

External Script Fetching

High
Category
Supply Chain
Content
action: warn
    reason: "Overly permissive file permissions"

  - pattern: "^wget .* -O - \\| sh$"
    level: risky
    action: warn
    reason: "Remote code execution via pipe to shell"
Confidence
86% confidence
Finding
wget .* -O - \\| sh

Unpinned Dependencies

Low
Category
Supply Chain
Content
"spm": "node src/cli.js"
  },
  "dependencies": {
    "commander": "^15.0.0",
    "pino": "^10.3.1",
    "proper-lockfile": "^4.1.2",
    "yaml": "^2.9.0",
Confidence
93% confidence
Finding
"commander": "^15.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "commander": "^15.0.0",
    "pino": "^10.3.1",
    "proper-lockfile": "^4.1.2",
    "yaml": "^2.9.0",
    "zod": "^4.4.3"
Confidence
93% confidence
Finding
"pino": "^10.3.1"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "commander": "^15.0.0",
    "pino": "^10.3.1",
    "proper-lockfile": "^4.1.2",
    "yaml": "^2.9.0",
    "zod": "^4.4.3"
  },
Confidence
93% confidence
Finding
"proper-lockfile": "^4.1.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"commander": "^15.0.0",
    "pino": "^10.3.1",
    "proper-lockfile": "^4.1.2",
    "yaml": "^2.9.0",
    "zod": "^4.4.3"
  },
  "devDependencies": {
Confidence
93% confidence
Finding
"yaml": "^2.9.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"pino": "^10.3.1",
    "proper-lockfile": "^4.1.2",
    "yaml": "^2.9.0",
    "zod": "^4.4.3"
  },
  "devDependencies": {
    "jest": "^30.4.2"
Confidence
93% confidence
Finding
"zod": "^4.4.3"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"zod": "^4.4.3"
  },
  "devDependencies": {
    "jest": "^30.4.2"
  }
}
Confidence
88% confidence
Finding
"jest": "^30.4.2"

Tool Parameter Abuse

High
Category
Tool Misuse
Content
action: warn
    reason: "Force push may overwrite remote history"

  - pattern: "^chmod -R 777"
    level: risky
    action: warn
    reason: "Overly permissive file permissions"
Confidence
71% confidence
Finding
chmod -R 777

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.