Back to skill

Security audit

Deep Research

Security checks across malware telemetry and agentic risk

Overview

This is a transparent deep-research workflow skill that searches sources, writes a report, and optionally creates HTML, with no evidence of hidden or harmful behavior.

Install this if you want a structured, source-heavy research workflow that can perform multiple web searches and save reports locally. Be aware that broad research terms may trigger it more often than expected, and review the generated outline before allowing a long research run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes broad, everyday phrases such as “report”, “investigate”, “帮我了解”, “全面梳理”, and “综合分析”, which can match many ordinary user requests outside true deep-research intent. This can cause unintended activation of a high-autonomy workflow that performs multi-step web research, asks follow-up questions, and writes files, increasing the chance of overreach, unnecessary tool use, and user surprise.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The writing guide is entirely in Chinese and repeatedly mandates Chinese-specific output structures without offering a user-language fallback or documenting a legitimate locale restriction. In a general-purpose deep-research skill, this can override user intent, degrade accessibility, and cause unsafe instruction-priority behavior where the agent follows the skill’s language bias instead of the user’s requested language.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.