Back to skill

Security audit

sleep rabbit plugin

Security checks across malware telemetry and agentic risk

Overview

The skill is presented as a safe sleep-analysis tool, but its artifacts are internally inconsistent and include undisclosed file and environment access that users should review before installing.

Do not install this version unless you are prepared to sandbox it and review the source. Treat it as a Review item because the security claims are not trustworthy, the main skill appears broken, and some modules may create or export sensitive analysis files outside the behavior promised in the documentation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (23)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script presents a 'comprehensive security verification' but only performs regex-based pattern matching over source files and infers safety from nearby text such as 'safe_' or 'security.validate'. This can miss write primitives, alternate APIs, indirect sinks, dynamic calls, or unsafe wrappers, so users may be falsely assured that all file writes are controlled when they are not.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The final output states that 'ALL SECURITY CLAIMS ARE PROVEN AND VERIFIED' and that documentation matches implementation regardless of the inherent incompleteness of the earlier checks. In a security-sensitive skill, overstated assurance is dangerous because operators may trust the package, lower scrutiny, and deploy code with undetected unsafe file-write behavior.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module claims file writes are disabled by default, but import-time code later creates a directory and writes a README unconditionally. This is dangerous because simply importing the package causes side effects on the host filesystem, violating least surprise and undermining trust in the stated security model.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The code prints that file writes are disabled and documentation claims are verified, even though the module performs filesystem writes during initialization. Misleading security assertions are dangerous because operators and other code may rely on them, causing unsafe deployment decisions and masking unauthorized side effects.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The package states outputs are confined and writes are disabled by default, but the import path still initializes output storage on disk without user action. In an agent-skill context, import-time writes are more dangerous because skills may be loaded automatically in shared or restricted environments, creating unexpected persistence and breaking host assumptions about non-mutating initialization.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The module-level docstring explicitly claims that file writes are controlled by a security controller and disabled by default, but the code later builds multiple output paths for images, JSON, CSV, and report files with no visible enforcement or permission gate. Misleading security assertions are dangerous because downstream agents or reviewers may trust the claim and invoke the skill in contexts where writing derived EEG data to disk is not allowed.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The function docstring repeats the same assurance that output is security-controlled, yet the function proceeds to prepare unmanaged output artifacts under a relative directory. In a security-sensitive environment, false assurances inside executable skills increase risk because orchestrators may rely on them when deciding whether the skill may access persistent storage.

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
This module advertises local security controls without broader side effects, but importing it immediately creates a directory and prints status messages at module scope. Those import-time side effects can violate caller expectations, trigger unintended filesystem changes, and weaken sandbox assumptions in environments that rely on safe or inert imports.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The code claims file writes are disabled by default, but __init__ unconditionally calls mkdir() on analysis_outputs, causing a filesystem write during object creation. In agent or sandboxed environments, this breaks the promised security model and can be abused to perform unauthorized writes simply by importing the module.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module advertises itself as a 'REAL professional sleep analysis module,' but the code implements only a simplistic heuristic classifier and contains multiple correctness and implementation defects. In a medical-analysis context, overstating capability can mislead downstream users or agents into trusting clinically unreliable output, creating a safety and integrity risk even without classic code execution impact.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code signals that it creates histogram and text report outputs, but the corresponding functions do not actually write the advertised files. This discrepancy can cause downstream automation to assume artifacts exist and act on missing, stale, or incomplete results, undermining integrity and traceability of analysis workflows.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This is a true issue because the script claims to verify implemented security controls, but it only performs brittle substring checks against source text. An attacker or careless maintainer could satisfy these checks by inserting the expected phrases in dead code, comments, or non-enforcing code paths, causing false assurance that security protections are present.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
This is a genuine vulnerability in the integrity of the verification process: the tool presents itself as checking documentation truthfulness, but it merely checks for preferred phrases such as 'security theater' or 'actually implemented'. That allows deceptive documentation to pass by parroting expected wording without any correspondence to the real behavior of the skill.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The summary output is misleading because it declares that the version 'successfully fixes' security-theater issues based only on aggregated shallow text checks. In a security-sensitive skill context, this increases risk by creating unjustified trust and could cause reviewers or users to rely on protections that were never actually validated.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The module documentation presents the skill as a narrowly scoped, memory-first local sleep-analysis tool, but the implementation exposes additional wellness and host-inspection capabilities. This mismatch is dangerous because operators may grant trust or permissions based on the declared purpose while the code offers broader functionality, increasing the chance of unauthorized filesystem and environment access.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
A skill documented as sleep analysis includes unrelated capabilities such as stress evaluation, meditation guidance, music therapy, file inspection, and environment inspection. Excess capability violates least privilege and makes it easier to hide risky behavior inside a seemingly benign medical-analysis skill, especially in agent ecosystems where users rely on the declared purpose to assess trust.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The env-check command exposes host and runtime details including Python version, platform, executable path, current directory, skill directory, and writability. Even without network access, this is sensitive reconnaissance data that can help an attacker tailor follow-on attacks or exfiltration through other components in a larger agent system.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file-info command provides generic filesystem metadata retrieval beyond what is needed for core sleep analysis. This broadens the attack surface by enabling directory/file reconnaissance and validation of host files under the guise of a healthcare-related skill.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Stress evaluation, meditation guidance, and music therapy are outside the stated scope of a transparent sleep-analysis skill and materially expand its behavioral surface. In security review, unexplained extra features are risky because they can mask abuse, complicate permissioning, and create opportunities for unintended data handling or misleading trust assumptions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Creating a directory and writing a file during package initialization without warning or confirmation is a real security and quality issue. Even if the target path is local and seemingly benign, unsolicited filesystem modification can violate sandbox expectations, fail in read-only environments, or be abused to leave artifacts and signal execution.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code derives an output directory and prepares several analysis artifacts containing information extracted from EEG/EDF input without any visible user confirmation, consent check, or runtime gating. In this skill context, the data is biomedical and potentially sensitive, so silent persistence to disk can create privacy, retention, and policy-compliance issues even if the path is local.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The function writes derived sleep-analysis results to disk automatically, without explicit caller consent, configurable output control, or clear disclosure. In a skill context processing potentially sensitive medical data, silent persistence increases the risk of unintended retention, privacy exposure, and leakage to other local users or systems that monitor the analysis_outputs directory.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The export-result command writes stored analysis results to disk without a strong user-facing confirmation or warning at execution time. Because the skill handles potentially sensitive health-related analysis output, silent export can cause unintended persistence of private data and weaken the claimed memory-first handling model.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.