免费版

Security checks across malware telemetry and agentic risk

Overview

This is a contract-review helper with broad activation examples, but its behavior is disclosed and limited to analyzing user-provided legal documents.

Install only if you are comfortable letting the agent analyze contract text you provide. For privileged, confidential, or high-value agreements, confirm the skill is intentionally being used and have a qualified lawyer review material terms before relying on the output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger list includes broad natural-language phrases such as generic contract-help requests and auto-activation on uploaded legal documents, which can cause the skill to fire when the user did not explicitly intend to invoke this specific workflow. That increases the chance of unintended document processing, unexpected disclosure of sensitive contract contents to the configured model, and workflow hijacking from other more appropriate skills.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The example trigger phrases are broad, natural-language requests such as asking to review a contract or say whether it can be signed. In systems that invoke skills based on fuzzy matching, this can cause the skill to activate unintentionally on ordinary conversation, exposing sensitive contract text to the wrong workflow or producing actions the user did not explicitly intend.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal