Back to skill

Security audit

Narrative Quality Auditor

Security checks across malware telemetry and agentic risk

Overview

This narrative-auditing skill is mostly coherent, but it explicitly allows persistent memory updates without asking the user first.

Install only if you are comfortable with the skill reading your brand canon, claims, and audit inputs, and configure the host to require approval before any write to memory/hot-cache.md or other memory files. Prefer using bundled or pinned reference files rather than live-fetching mutable GitHub markdown during an audit.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are overly broad and include generic requests like checking whether a single surface is 'on-canon' or 'defensible', which can overlap with adjacent skills and cause this auditor to activate outside its intended scope. In an agentic system, over-broad routing is dangerous because it can invoke the wrong workflow, leading to unintended reads, scoring, and persistence actions on user content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that it will promote a veto marker and verdict to memory/hot-cache.md automatically as a 'gate privilege', bypassing user confirmation. Automatic persistence of derived judgments is risky because it can create unauthorized state changes, leak sensitive business assessments into shared memory, and influence later agent behavior without the user's explicit consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The standalone fallback instructs the agent to fetch remote reference files from GitHub if local references are missing, without a strong user warning or trust boundary. This introduces a supply-chain and prompt-injection surface because remote markdown can change over time and may influence the skill's behavior, scoring, or decisions.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Save Results

Ask before writing memory. On confirmation, write the artifact to `memory/audits/narrative/YYYY-MM-DD-<topic>.md` with `class: auditor-output` in its frontmatter and the full §1 handoff schema (`status`, `objective`, `target`, `key_findings`, `evidence_summary`, `recommended_next_skill`, `cap_applied`, `raw_overall_score`, `final_overall_score`). The PostToolUse Artifact Gate validates anything under `memory/audits/`. Promote one veto marker and the verdict to `memory/hot-cache.md` without asking — the gate privilege. Canon-grade facts surfaced by the audit (a hierarchy contradiction, a stale version) go to `memory/narrative-registry/candidates.md` for [narrative-registry](../../../protocol/narrative-registry/SKILL.md) to promote; unverified claims go to `memory/claims/candidates.md` only — this gate never writes `memory/narrative-registry/` canon or the claims ledger and never adjudicates a claim. Do not save to a bare `memory/` path — that bypasses the gate. `memory-management` later rolls these into the monthly `memory/audits/YYYY-MM.md` aggregate.

## Reference Materials
Confidence
96% confidence
Finding
without asking

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Save Results

Ask before writing memory. On confirmation, write the artifact to `memory/audits/narrative/YYYY-MM-DD-<topic>.md` with `class: auditor-output` in its frontmatter and the full §1 handoff schema (`status`, `objective`, `target`, `key_findings`, `evidence_summary`, `recommended_next_skill`, `cap_applied`, `raw_overall_score`, `final_overall_score`). The PostToolUse Artifact Gate validates anything under `memory/audits/`. Promote one veto marker and the verdict to `memory/hot-cache.md` without asking — the gate privilege. Canon-grade facts surfaced by the audit (a hierarchy contradiction, a stale version) go to `memory/narrative-registry/candidates.md` for [narrative-registry](../../../protocol/narrative-registry/SKILL.md) to promote; unverified claims go to `memory/claims/candidates.md` only — this gate never writes `memory/narrative-registry/` canon or the claims ledger and never adjudicates a claim. Do not save to a bare `memory/` path — that bypasses the gate. `memory-management` later rolls these into the monthly `memory/audits/YYYY-MM.md` aggregate.

## Reference Materials
Confidence
95% confidence
Finding
without asking

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.