Back to skill

Security audit

Iaiops Warehouse

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a documentation-only warehouse operations helper, but it claims to be read-only while documenting tools that can modify industrial systems or transmit operational data.

Install only if you intend to use this in a controlled warehouse OT context and can enforce approval gates outside the skill. Treat it as potentially write-capable and egress-capable despite the read-only claim, and verify destinations, dry-run behavior, and change-control requirements before using it near production control systems.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest explicitly says the edition's tool surface is read-only, but the body documents write-capable tools such as `eip_write_tag`, `profinet_dcp_set`, and `mqtt_publish`. This mismatch can cause operators or upstream agents to trust the skill as non-invasive and invoke it in sensitive OT environments, creating a real risk of unintended control changes or network-side effects.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documentation repeats a read-only/read-first safety posture, then later includes active write workflows and approval paths for modifying PLC tags and Profinet settings. In industrial warehouse environments, this inconsistency is dangerous because users may rely on the earlier safety claim and overlook that the skill can perform operationally disruptive actions.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The activation phrases are very broad and include common warehouse and logistics terminology in multiple languages, which increases the chance the skill is invoked for general discussions rather than intentional OT analysis. In a skill that exposes industrial network tooling, accidental invocation broadens access to sensitive capability and can lead to inappropriate data access or risky follow-on actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tool list includes network transmission functions such as `mqtt_publish`, `stream_publish`, `stream_publish_event`, `historian_push`, and `export_data` without a prominent user-facing warning that these may send telemetry or operational data to external systems. In warehouse OT contexts, silent or poorly disclosed data egress can expose sensitive production, fleet, or control information and may violate segmentation or change-control expectations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.