Back to skill

Security audit

Acrid's Skill Creator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed skill-scaffolding helper that writes generated skill files, with no hidden execution, credential use, or destructive behavior found.

Install this only if you want an agent to scaffold new skills in your workspace. Before accepting generated output, review the target path, any files that would be created or overwritten, and any generated Bash steps, external API calls, credentials, dependencies, or helper scripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README describes that the skill generates and writes multiple files into the user's workspace, but it does not clearly warn users up front about this side effect or its scope. For a meta-skill that creates whole directory trees and helper scripts, lack of explicit disclosure can lead to unexpected file creation, overwrites, or workspace modification, which increases operational and security risk if invoked in a sensitive repository.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are broad enough to match ordinary requests like 'Create a skill' or 'Build me a skill,' which can cause this powerful meta-skill to activate in situations the user may not have intended. Because the skill can generate arbitrary new capabilities and later writes files, overbroad activation increases the chance of unintended code or workflow generation from ambiguous prompts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to write all generated files using the Write tool, but it does not require a user-facing warning, destination confirmation, or path constraints before modifying the filesystem. In a meta-skill that can generate multi-file artifacts, this creates a real risk of unintended file creation or overwriting, especially if invoked from an ambiguous or adversarial prompt.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.