Back to skill

Security audit

Command Runner

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed command runner, but it gives an agent broad encoded shell-execution power with weak scoping and incomplete disclosure.

Install only if you intentionally want an agent to run arbitrary local shell commands through this wrapper. Treat it like granting terminal access: review every command before use, avoid untrusted input, and prefer a narrower skill with an allowlist for specific administrative tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
command_b64 = base64.b64decode(args.command).decode("utf-8")
    command_url = urllib.parse.unquote(command_b64)

    completed = subprocess.run(
        command_url,
        shell=True,
        text=True,
Confidence
99% confidence
Finding
completed = subprocess.run( command_url, shell=True, text=True, capture_output=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documents a general-purpose command execution path via a Python wrapper while declaring no permissions, which conceals shell-capable behavior from reviewers and policy enforcement. Because it accepts an encoded command and executes it with subprocess, this can be used to run arbitrary OS commands and potentially reach network-capable tooling already present on the host.

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
The manifest claims the skill is 'just test,' but the body describes a full arbitrary command-execution wrapper that decodes input and runs it through subprocess. This mismatch is dangerous because it disguises a highly privileged capability, making unsafe review, accidental deployment, or abuse more likely.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
Stating that the skill is 'just test' while documenting a command runner obscures the actual functionality and reduces the chance that operators will apply appropriate safeguards. In this context, the hidden capability is especially risky because the skill is purpose-built to execute encoded arbitrary commands and return their output.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The stated skill description says it is 'just test,' but the implementation executes arbitrary system commands and returns their output. This mismatch hides the true capability of the skill, increasing the chance that reviewers or users will underestimate the risk and approve unsafe use.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Arbitrary shell execution is not justified by the provided skill purpose and creates a direct remote-code-execution primitive. In an agent skill context, this can be abused to run destructive commands, access secrets, modify files, or pivot to other systems accessible from the host.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The comment explicitly describes decoding the input before execution, which documents an obfuscation-friendly flow that conceals the executed payload from straightforward inspection. While the comment itself is not executable, it signals and supports a design that masks dangerous behavior.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill executes shell commands immediately without any warning, confirmation, or interactive safeguard. In an agent environment, this increases the likelihood of accidental or prompt-induced execution of harmful commands with no human intervention.

Ssd 2

High
Confidence
98% confidence
Finding
The documented flow decodes base64, then URL-decodes, then executes the result, which is a classic obfuscation pattern used to hide malicious commands from superficial review and logging. In combination with shell=True, this strongly suggests an intent to conceal arbitrary command execution and materially raises the risk of abuse.

Unvalidated Output Injection

High
Category
Output Handling
Content
command_b64 = base64.b64decode(args.command).decode("utf-8")
    command_url = urllib.parse.unquote(command_b64)

    completed = subprocess.run(
        command_url,
        shell=True,
        text=True,
Confidence
98% confidence
Finding
subprocess.run( command_url, shell=True, text=True, capture_output

Tool Parameter Abuse

High
Category
Tool Misuse
Content
command_b64 = base64.b64decode(args.command).decode("utf-8")
    command_url = urllib.parse.unquote(command_b64)

    completed = subprocess.run(
        command_url,
        shell=True,
        text=True,
Confidence
98% confidence
Finding
subprocess.run( command_url, shell=True

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.