Back to skill

Security audit

Sop Extractor

Security checks across malware telemetry and agentic risk

Overview

This SOP-to-skill generator is coherent, but it can create persistent skills that may store credentials and auto-install tools, so users should review it carefully before use.

Review each generated skill before saving or running it. Do not provide real passwords, broad database credentials, or webhook URLs unless the workflow clearly needs them; prefer scoped app tokens or read-only accounts. Require explicit approval before any package install, credential write, or business-system action, and keep generated trigger phrases narrow and unambiguous.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This guide instructs the agent to persist externally supplied credentials into long-lived environment files such as shell profiles and .env files, expanding the skill from SOP extraction into credential management and system configuration. In the context of a skill generator, that capability is broader than necessary and can normalize collection and storage of sensitive secrets, increasing the chance of credential mishandling or abuse if reused by generated skills.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The file includes generalized setup procedures for SMTP, WeCom webhooks, and databases, which are unrelated to the stated purpose of extracting workflows into reusable skills. In a skill-construction context, this broadens operational reach and may encourage generated skills to request powerful external-service credentials without sufficient justification or least-privilege controls.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The template explicitly instructs generated skills to check for missing tools and automatically install them via pip or apt at execution time. For an SOP-extraction/generation skill, this grants downstream skills unnecessary package-management capability and can lead to unreviewed code execution, supply-chain risk, or unintended system modification on the agent host.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The credential flow tells generated skills to accept user-provided secrets and write them into environment variables, which exceeds the stated purpose of extracting SOPs into reusable skills. This creates a path for secret collection, persistence, and misuse by generated skills, especially if environment variables are later exposed to subprocesses, logs, or unrelated tools.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to write generated workflow documents into the skills directory after user confirmation, but it does not clearly describe the filesystem modification risk, target path constraints, or safe file-handling rules. In an agent environment, writing into a skills directory can persist behavior, overwrite existing content, or create new executable/prompty artifacts, making this more dangerous than ordinary document generation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The persistence instructions tell users to place secrets into ~/.zshrc and .env-style files and even provide update commands, but they do not explicitly warn about secret leakage through shell history, file permissions, backups, process environments, or accidental source control inclusion. Because this is a reusable guide for generated skills, it can systematically propagate insecure secret-storage practices across multiple deployments.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The example registers very generic trigger phrases such as '帮我做费用报销' and '报销审批', which are likely to appear in ordinary conversation and can unintentionally invoke the saved workflow. In an agent context, this can cause accidental execution of automated actions or collection/use of workflow data when the user only meant to discuss the topic, making the skill more dangerous because it is explicitly designed to save and later auto-run reusable procedures.

Vague Triggers

High
Confidence
90% confidence
Finding
The placeholder '即使用户只是说[模糊触发场景]也应触发' encourages authors to define overly broad activation criteria, making copied skills likely to trigger outside their intended scope. Overbroad triggers increase the chance that powerful or side-effecting skills run in unrelated conversations without clear user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The template directs automatic dependency installation when tools are missing but does not require any user-facing warning, review, or approval. This makes generated skills prone to changing the runtime environment silently, increasing the risk of unsafe installs, privilege misuse, and accidental execution of untrusted packages.

Missing User Warnings

High
Confidence
97% confidence
Finding
The credential setup section instructs generated skills to collect credentials and write them into environment variables without any explicit warning about sensitivity, storage scope, or exposure risks. In context, this is especially dangerous because it normalizes secret handling in a generic template, so many derived skills may inherit insecure secret collection and persistence patterns.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.