Back to skill

Security audit

OKR Framework

Security checks across malware telemetry and agentic risk

Overview

This is a low-risk, instruction-only OKR planning skill with no code execution, credential access, or hidden system changes.

Use explicit wording such as “Use OKR Framework” if your agent supports many skills, and treat the paid AfrexAI links as external vendor resources to verify before purchase. Do not grant operational credentials or automation permissions just because an OKR generated by this skill mentions AI agents or business workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README suggests invoking the skill with very broad natural-language phrases like 'Help me set OKRs for Q2' and 'Create OKRs for my engineering team.' Such generic prompts are likely to overlap with normal user conversation, which can cause accidental or unintended activation in systems that route by semantic matching rather than explicit command names. In this context the skill is not inherently high-risk, but unintended triggering could still cause confusing behavior, incorrect routing, or disclosure of business planning context to the wrong skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal