soft-agent-module

Security checks across malware telemetry and agentic risk

Overview

This is a codebase-specific development guide with an overly broad activation trigger but no hidden execution, data access, or destructive behavior.

Install this only if you work on the acore-agent or related Agent module. Because its trigger wording is broad, confirm that its guidance is actually relevant when it activates on general Agent discussions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill declares extremely broad auto-trigger conditions such as "Agent", "agent", "智能体", and even instructs proactive triggering when users merely mention the module name. This can cause the skill to activate in many unrelated conversations, increasing the chance that sensitive context is exposed to the wrong skill, that user intent is misrouted, or that downstream actions are taken based on irrelevant guidance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal