Back to skill

Security audit

My Skill

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill discloses its Example API token use and data-changing behavior, with confirmation required before mutations.

Install only if you intend to let an agent call the Example API. Configure a least-privilege MY_API_KEY, read confirmation prompts carefully before approving changes, and avoid sending unencrypted personal data in payloads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation trigger includes broad phrases such as "do the thing" and "执行操作", which are generic enough to match ordinary conversation and unintentionally invoke a capability that performs state-changing API actions. In this skill’s context, accidental activation is more dangerous because the skill is explicitly designed to support data modification operations, so broad matching increases the chance of unintended destructive or sensitive requests reaching the confirmation flow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.