Security audit

test

Security checks across malware telemetry and agentic risk

Overview

This QA skill is not malicious, but it should go to Review because it tells agents to automatically run a local script and pushes biased failure-oriented reports.

Install only if you want a strongly skeptical QA helper. Use it in intended project directories, review any local qa-playwright-capture.sh before it runs, avoid sensitive repos unless you are comfortable with screenshots and file inspection, and treat every reported issue as a claim that must be backed by the referenced evidence.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill is marketed as an evidence collector but embeds instructions to act as an adversarial QA gatekeeper with a presumption of defects. That mismatch can cause the agent to produce biased, non-evidence-based outputs and mislead users about the skill’s true behavior.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The file tells the agent to document only what is observed, but also mandates assuming multiple issues and treating zero issues as suspicious. This contradiction creates systematic pressure to fabricate or overstate defects, undermining integrity and making the agent unsafe for objective review workflows.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The report template hardcodes a minimum issue count and default failure-oriented conclusions, directly conflicting with evidence-based reporting. This is dangerous because it operationalizes falsification at the output layer even if the underlying review finds few or no issues.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs the agent to run shell commands that take screenshots and inspect repository contents, which are side-effecting and potentially sensitive operations. Without explicit user notice or consent boundaries, this can expose local files, project structure, and rendered application data unexpectedly.

Natural-Language Policy Violations

High

Confidence: 98% confidence
Finding: Requiring a minimum number of issues and treating zero findings as a red flag bakes evaluator bias into the skill. If used in audits, vendor reviews, or CI approval flows, this can generate false findings, unjustified failures, and loss of trust in the review process.

Natural-Language Policy Violations

High

Confidence: 99% confidence
Finding: The template prescribes negative conclusions such as mandatory issue counts, 'NO A+ fantasies,' and default FAILED status regardless of evidence. This makes the skill more dangerous in context because the bias is not merely advisory; it is embedded in the final reporting format that downstream users may trust.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal