Back to skill

Security audit

adaptive-suite

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly harmful, but it needs review because it can catalog NAS file information and asks for vague API-key access without clear limits.

Install only if you are comfortable with a broad assistant skill. Before using the NAS scraper, require explicit user-selected directories, exclude sensitive shares, keep results local, and define deletion controls. Do not provide a broad FREE_API_KEYS bundle; use separate least-privilege keys for specific named services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description grants very broad authority across coding, business analysis, project management, web development, data analysis, and NAS scraping without defining when each capability should activate or what safety boundaries apply. Overly broad scope increases the chance of unintended invocation, excessive tool use, and handling of sensitive tasks outside user expectations.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Telling the skill to act as a versatile coder across multiple languages and frameworks is too open-ended and lacks clear trigger boundaries, approval requirements, or restrictions on code generation behavior. In practice, this can cause the agent to overreach into unrelated development tasks or produce risky code patterns without sufficient contextual checks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The NAS metadata scraper capability explicitly collects file names, metadata, and directory structure, which can expose sensitive operational or personal information even in read-only mode. Because the skill omits a prominent user warning and consent language, users may not understand that inventorying filenames and paths itself can constitute sensitive data collection.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.