Skill1

Security checks across malware telemetry and agentic risk

Overview

This is a simple code-review prompt skill with no executable code, persistence, network access, or hidden data handling.

Safe to install if you want a structured code-review helper. Be aware it may trigger on general phrases like “code review”; invoke it explicitly when you want that workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrases include generic terms like “code review” and “review this code,” which are common in ordinary developer conversation and can cause the skill to activate unintentionally. Over-broad activation increases the chance the skill runs in the wrong context, producing unsolicited analysis, overriding more appropriate skills, or handling content the user did not intend for this workflow.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The usage guidance says the skill activates when the user mentions needing code review, code quality checks, or provides code for evaluation, but it does not define clear boundaries for when it should remain inactive. This ambiguity can lead to accidental invocation during normal discussion, increasing the risk of incorrect routing and unintended processing of user content.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal