Security audit

message-friendly

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple Markdown-to-IM formatter with no executable code, but its automatic trigger may reformat messages more often than some users expect.

Install this if you want Markdown-heavy responses automatically converted for IM platforms. Review transformed messages before sending when exact Markdown, code blocks, tables, or full wording must be preserved, and verify publisher provenance if the owner-ID mismatch matters to your policy.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill is configured with an automatic trigger and broad channel/content filters, so it may activate on many ordinary IM responses that merely contain common Markdown tokens. That can cause unintended transformation of agent output in contexts where the skill was not explicitly requested, creating integrity and reliability issues and potentially altering meaning, formatting, or structured content users expected to remain unchanged.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal