Gen Test Plan

Security checks across malware telemetry and agentic risk

Overview

This skill coherently generates a repository test-plan file and does not show hidden execution, exfiltration, or destructive behavior.

Install this if you want an agent to inspect a repository and create an E2E test-plan file. Review the generated YAML before running it with any execution skill, especially for steps that touch real services, databases, credentials, or production-like environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Low

Confidence: 97% confidence
Finding: At L037-L041, the skill defines a hard gate requiring a Python command that parses the YAML and asserts all four top-level keys are present, explicitly warning that a single grep-based check is insufficient. But in Step 8 at L348-L349, the verification instructions tell the user to check required fields with `grep -E`, which the earlier documentation says would incorrectly pass when only one key exists. This is an active contradiction between the skill's own instructions and its later verification code.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: This markdown skill directs the agent to create `docs/testing/` and write `docs/testing/test-plan.yaml`, which modifies the user's working tree. The file describes the action operationally, but it does not include an explicit warning or disclosure that running the skill will create files in the repository.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal