Back to skill

Security audit

Cross‑Device Encrypted Script Authorization

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill is coherent, but it teaches users to run encrypted scripts they cannot inspect without enough warning or provenance controls.

Review before installing or using. Only run sealed scripts from fully trusted sources, prefer signed or hash-verified payloads, use a constrained sandbox or least-privilege environment, and do not treat encryption as proof that the hidden script is safe.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly instructs users to store and execute transferred sealed scripts on a target node, but it provides no warning that encryption only protects confidentiality in transit and does not make the code safe to run. This creates a dangerous trust illusion: users may treat opaque ciphertext as inherently trustworthy and execute unreviewed code that can perform arbitrary actions once decrypted on the authorized node.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This documentation explicitly instructs the user to execute sealed, effectively unreviewable code on a target node while emphasizing secrecy and 'zero exposure,' but it does not clearly warn that the receiving party cannot inspect what will run. That creates a realistic pathway for covert delivery of malicious logic, especially because the skill frames opaque execution as a security benefit rather than a trust risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.