This skill facilitates remote code execution and supply chain attacks by fetching unpinned dependencies and arbitrary external content, while lacking necessary security constraints for its OS-level command execution.
npx skills add https://github.com/MustaphaSteph/vorec-pluginsThe skill content contains multiple critical security findings, specifically remote code download and execution, and the use of unpinned dependencies, which contradicts the claimed purpose of a simple recording tool.
Static analysis flagged [critical] MONDOO_AGENT_SKILL_CE_003 (Remote code download and execution) and multiple [medium] MONDOO_AGENT_SKILL_SC_005 (Unpinned npx package execution).
Remote code download and execution detected
python3 -c "from urllib
The skill provides instructions for using `pkill` and `ps` with user-provided strings, which could be exploited for command injection if the agent's input handling is not strictly sanitized. [ensemble: confirmed by 3/3 passes; severity set to the agreed median (ADR-0067).]
pkill -f "$SESSION_PROFILE"
The skill mandates the use of `npx @vorec/cli@latest` and `npm install -g @vorec/cli@latest` without integrity pinning or version locking. This exposes the user to potential supply chain attacks where a malicious update to the package could execute arbitrary code on the host machine.
npx @vorec/cli@latest run vorec.json
child_process module imported — any exec/execSync/spawn call executes OS commands
import { exec } from 'node:child_process';NER model detected organization in skill content (confidence: 0.51)
V***
NER model detected organization in skill content (confidence: 0.71)
V****
NER model detected organization in skill content (confidence: 0.83)
D********
NER model detected organization in skill content (confidence: 0.84)
V*************
NER model detected organization in skill content (confidence: 0.70)
*
NER model detected organization in skill content (confidence: 0.96)
*
The skill instructs the agent to fetch and parse arbitrary external URLs (help articles/docs) and treat their content as the 'source of truth' for recording steps, which is a classic indirect prompt injection vector. [ensemble: confirmed by 3/3 passes; severity set to the agreed median (ADR-0067).]
When the request includes a link to a help article... read the article-guide-parsing section below now. That article is the source of truth
Hidden/zero CSS (display:none, visibility:hidden, opacity:0, font-size:0) — weak hidden-content signal (common in legitimate UI/animation) (seen 2 times in this file at lines 366, 371)
opacity:0
Unpinned npx package execution — `npx <pkg>` without a version pin pulls latest from npm at runtime (seen 3 times in this file at lines 165, 3677, 4089)
npx cache
Global/unverified dependency execution — global npm/yarn package, dotnet tool, or auto-confirmed npx run without version or integrity pinning (seen 4 times in this file at lines 190, 194, 668, 3674)
npm install -g
Post-install or dynamic dependency fetching — runtime code loading from untrusted sources
require()`, `import`, `fs`, `process` — browser sandbox only - `console.log` does NOT appear in stdout — use `return` for output - For anything needing Node APIs, write a standalone `.mjs` script instead ## Related files - [./cli-commands.md](./cli-commands.md) — Core commands (open, click, snapshot) - [../SKILL.md](../SKILL.md) — Manifest format +
SKILL.md links to "cli-commands.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
[./cli-commands.md](./cli-commands.md)
SKILL.md links to "context-writing.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
[./context-writing.md](./context-writing.md)
SKILL.md links to "live-site-discovery.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
[./live-site-discovery.md](./live-site-discovery.md)
SKILL.md links to "narration-rules.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
[./narration-rules.md](./narration-rules.md)
SKILL.md links to "pacing.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
[./pacing.md](./pacing.md)
Skill does not specify a license field. Specifying a license helps users understand usage terms.
[](https://mondoo.com/ai-agent-security/skills/github/MustaphaSteph/vorec-plugins/record-tutorial)<a href="https://mondoo.com/ai-agent-security/skills/github/MustaphaSteph/vorec-plugins/record-tutorial"><img src="https://mondoo.com/ai-agent-security/api/badge/github/MustaphaSteph/vorec-plugins/record-tutorial.svg" alt="Mondoo Skill Check" /></a>https://mondoo.com/ai-agent-security/api/badge/github/MustaphaSteph/vorec-plugins/record-tutorial.svgSkills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.