Back to skill

Security audit

Data Analyst Secure Suite

Security checks across malware telemetry and agentic risk

Overview

The skill appears legitimate and documentation-only, but it teaches powerful local credential-access patterns without enough enforced scoping or warnings.

Review before installing. Use this only if you trust the MGC Blackbox publisher and your environment enforces per-use approval, narrow credential scope, file permissions on the token, audit logs, and token rotation. Do not copy the credential examples with real secrets, and do not let arbitrary scripts read the MGC token or retrieve credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The example contradicts the document's security claims by showing a plaintext credential embedded directly in code. Even if intended as a placeholder, users may copy this pattern into scripts or prompts, causing secrets to be exposed in source files, logs, shell history, or AI-visible contexts.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The retrieval example accesses the local secret store immediately after reading the token file, with no demonstrated authorization or consent check despite repeated claims that all access requires explicit user approval. This mismatch can normalize automated secret access and enable scripts to pull credentials silently once a local token is available.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document presents contradictory security guarantees: it states the AI cannot see plaintext knowledge, yet shows a direct `mgc_get(...)` retrieval into a variable and says the AI can use the content after authorization. This ambiguity can mislead users and agent authors into believing sensitive knowledge remains hidden from the model when it may in fact be exposed through tool outputs or prompt injection paths, creating a confidentiality risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README discloses the exact local path to the MGC authentication token file and labels the required header, which materially lowers the barrier for misuse by anyone with local access or by an adjacent tool/plugin running in the same user context. While the path alone is not the secret, documenting it without an explicit warning that the token is highly sensitive encourages unsafe handling and can facilitate credential theft or unauthorized API use.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document provides detailed instructions and sample code for reading a local auth token from disk and using it to retrieve credentials, but it does not foreground the sensitivity of the token or warn that anyone able to run such a script effectively gains access to protected secrets. In a skill intended for analysts, this can normalize dangerous handling of local secret material and increase the chance of credential misuse or unsafe script sharing.

Credential Access

High
Category
Privilege Escalation
Content
# How to Write Scripts for Zero-Exposure Credential Calls

Scripts can safely access credentials, but AI can never see credential content.

Below is the **standard zero-exposure credential call pattern** (pseudocode):
Confidence
95% confidence
Finding
access credentials

Session Persistence

Medium
Category
Rogue Agent
Content
---

# How to Write Scripts for Zero-Exposure Credential Calls

Scripts can safely access credentials, but AI can never see credential content.
Confidence
78% confidence
Finding
Write Scripts for Zero-Exposure Credential Calls Scripts can safely access credentials, but AI can never see credential content. Below is the **standard zero-exposure credential call pattern** (pseu

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.