Back to skill

Security audit

Iaiops Process

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a process-plant monitoring guide, but it under-discloses always-exposed export and publish tools in a sensitive industrial context.

Review before installing in any production OT or plant environment. Treat historian_push, export_data, stream_publish, and stream_publish_event as write/export capabilities, require explicit operator approval and destination allowlists, and verify the underlying iaiops MCP server enforces dry-run, audit, and MOC controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill’s manifest and workflow text repeatedly frame the edition as read-first and effectively read-only for plant protocols, yet the always-exposed server tool list includes write-adjacent capabilities such as historian_push, export_data, stream_publish, and stream_publish_event. In an OT/process-plant context, this mismatch can cause an agent or operator to over-trust the skill and invoke outbound data movement or message publication without the same MOC/approval expectations, creating unauthorized data exfiltration or unintended operational signaling paths.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The workflow states that only Sparkplug adds a write surface, but the broader tool inventory already exposes publish/push operations outside Sparkplug. This creates a dangerous false assurance boundary: users may believe they are safe so long as Sparkplug is not enabled, while other tools can still transmit data or events and potentially affect downstream systems in a sensitive industrial environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.