Back to skill

Security audit

Iaiops Water

Security checks across malware telemetry and agentic risk

Overview

The skill is documentation-only and not malware, but its read-only safety claim conflicts with listed always-exposed export, publish, and push tools for an industrial water-treatment context.

Install only if you are comfortable with a Review-level skill for industrial water operations. Before enabling it near production networks, confirm the actual MCP server enforces a read-only profile that disables export, publish, push, learning, and baseline mutation tools unless explicitly approved and scoped.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest and description repeatedly assert that the water edition is read-only, but the documented tool inventory includes capabilities such as historian_push, export_data, stream_publish, and stream_publish_event. In an ICS/water-treatment context, this mismatch can cause operators or downstream agents to grant the skill more trust than warranted, leading to unauthorized exfiltration or outbound data movement despite the safety claim.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file says the edition's tool surface is fully read-only, yet a later section states that cross-protocol tools are always exposed and includes clearly non-read-only/egress functions. This is dangerous because it creates a deceptive safety boundary around a critical industrial environment, where users may rely on the read-only claim when deciding whether the skill is safe to enable in production networks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.