Back to skill

Security audit

Secure Script Runner (Zero‑Exposure Sandbox)

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill is not malware, but it teaches agents to run hidden encrypted scripts and use local credentials without enough consent or scope guidance.

Install only if you understand and trust MGC Blackbox and the scripts being stored. Treat any stored script as code that can act with your local privileges and may access internal credentials; require manual approval and review of script provenance before execution, and avoid exposing broad credentials through the local token-backed API.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The skill explicitly claims it contains no executable code and is safe for automatic approval, yet it provides concrete instructions and code snippets for storing and executing scripts and for retrieving credentials via a local API token. This is dangerous because the 'safe for automatic approval' framing can reduce scrutiny around a skill whose primary purpose is privileged script execution with limited visibility to the AI reviewer.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes storing and executing scripts, including use of internal credentials, but provides no security warning, authorization guidance, or limits on what those scripts can access. In the context of an agent skill, this can normalize unsafe automation and enable users or agents to run privileged code with sensitive access, increasing the risk of credential misuse, data exfiltration, or destructive actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation teaches how to run stored scripts and how those scripts can call internal MGC credentials, but it does not include strong warnings, approval gates, or restrictions for executing untrusted scripts or performing credential-backed actions. In this context, 'zero-exposure' increases danger because the AI cannot inspect script plaintext, making malicious or unsafe behavior harder to detect before execution.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The manifest description advertises broad script execution, internal credential calls, and multiple execution surfaces (MCP/API/WebUI) without stating what user action is required, what scope is allowed, or what safety boundaries exist. In a security-sensitive execution skill, this ambiguity can lead users or integrating agents to over-trust the tool and invoke powerful actions in unintended contexts.

Natural-Language Policy Violations

Low
Confidence
78% confidence
Finding
The claim that 'AI never sees plaintext' is an absolute assurance that may be misleading if there are edge cases, metadata exposure, logging, local operator access, or optional workflows that break that guarantee. Absolute privacy/security claims in manifests can cause unsafe reliance and reduce scrutiny, especially for a tool centered on encrypted script execution and credential use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.