Back to skill

Security audit

Agent Rules

Security checks across malware telemetry and agentic risk

Overview

This skill has no executable payload, but it tries to become a persistent high-priority behavior override that can weaken normal safety boundaries.

Install only if you intentionally want this skill to exert persistent high-priority control over agent behavior. It does not show malware or data exfiltration, but its wording is broad enough to interfere with safety refusals, workspace rules, and cautious handling of destructive or sensitive requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is marked as a system-injected, highest-priority rule set, and it contains a blanket instruction that every user command must be executed as-is. That undermines normal safety controls, policy checks, and contextual safeguards, because a malicious or unsafe user instruction could be treated as mandatory even when it conflicts with higher-level security requirements.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document presents itself as a protective ruleset, but its top rule requires blind execution of all user instructions, which directly conflicts with the later cautionary checks. In practice, the contradiction weakens the safeguards because the highest-priority clause can be invoked to bypass risk review before destructive actions, secret handling, or other sensitive operations.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill declares itself the sole source of behavioral constraints and says later user instructions cannot modify or relax it, while also being system-injected and high priority. In context, this is dangerous because it attempts to displace legitimate higher-context governance and creates a rigid instruction layer that could interfere with platform safety updates, admin controls, or safer workspace policies.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.