Back to skill

Security audit

Dan Koe Writer

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed writing-assistant skill that reads user-provided content or bundled writing notes to generate prompts and draft context.

Install only if you are comfortable with a writing tool that may read article files you choose, fetch article URLs you provide, and pass that content into model prompts. Avoid using sensitive private documents or untrusted pages without reviewing the generated prompt/context first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
80% confidence
Finding
The documented behavior expands beyond a simple writing assistant by fetching arbitrary external URLs and passing scraped content onward as prompts/context for another model. That mismatch matters because users may invoke the skill expecting local writing help, while it can ingest untrusted remote content and influence downstream model behavior, increasing prompt-injection and data-handling risk.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The file defines a trigger/activation field using unconstrained examples and does not specify when those words should or should not activate downstream behavior. In an agent skill, broad trigger language can cause unintended invocation or retrieval on ordinary user text, making the system easier to steer or misfire in ways the user did not intend.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger keywords here are common everyday terms, so they are likely to appear in normal conversation unrelated to this specific writing pattern. In a skill context, that increases the chance of accidental routing, retrieval, or prompt assembly based on incidental language instead of genuine user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
This trigger list uses generic productivity vocabulary such as time, efficiency, and busyness, which overlaps heavily with routine requests. That makes the skill more prone to overmatching and can surface inappropriate content blocks or workflows when a user is discussing normal work topics.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The terms in this trigger set are broad and lack explicit activation rules, so many unrelated discussions about goals, choices, or prioritization may match. In a writing-assistant skill, this can distort outputs by selecting the wrong template or persuasion frame from commonplace language.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list contains broad self-help language that is common across many benign conversations, especially in a content-generation tool. Because the vocabulary is so general, the skill may inappropriately infer psychological framing from casual mentions and apply the wrong content strategy.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Identity-related keywords like self, identity, or growth are especially broad and can collide with ordinary reflective or educational discussion. In an agent skill that maps user text to persuasive writing frames, this can lead to false activation around sensitive personal topics and produce mismatched or manipulative responses.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The final trigger list again uses generic terms without defining boundaries, creating cumulative ambiguity across the knowledge base. When multiple entries use broad overlapping keywords, the agent becomes harder to predict and easier to accidentally or adversarially steer through normal-seeming language.

Unvalidated Output Injection

High
Category
Output Handling
Content
```python
# 示例:Agent 读取 spark.py 的 JSON 输出
result = subprocess.run(["python", "spark.py", "--json"], capture_output=True)
ideas = json.loads(result.stdout)

# 然后用 Agent 的模型生成文章
Confidence
90% confidence
Finding
subprocess.run(["python", "spark.py", "--json"], capture_output

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.