Security audit

Karpathy.skill - Andrej Karpathy思维操作系统

Security checks across malware telemetry and agentic risk

Overview

This appears to be a persona/style skill with some broad activation and language-preference caveats, but no evidence of harmful system access or data handling.

Install only if you want this persona/style behavior available in normal conversations. Expect possible unexpected activation from broad conceptual trigger phrases and possible Chinese-default responses; otherwise there is no artifact-backed evidence here of command execution, data access, persistence, or exfiltration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger conditions are broad enough to activate on generic AI discussions using phrases like '工程现实主义角度' or '构建即理解', even when the user did not explicitly request roleplay or this persona. That can cause unintended persona injection, misrouting, and stronger instruction dominance because the skill then requires first-person impersonation and suppresses meta framing.

Natural-Language Policy Violations

Medium

Confidence: 79% confidence
Finding: The skill prescribes Chinese-output adaptation as a default behavior rather than respecting the user's chosen language. This can override user intent, reduce transparency, and create unexpected behavior, though it is more of a policy/UX control issue than a high-severity security flaw.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.