Create Task

Security checks across malware telemetry and agentic risk

Overview

This skill is openly for creating and funding OpenAnt crypto bounties, but its broad auto-invocation wording could steer an agent toward financial actions when the user did not clearly ask for OpenAnt task creation.

Install only if you want an agent to create OpenAnt crypto bounty tasks. Before allowing it to run, make sure the user explicitly chose OpenAnt, confirm the chain, token, reward, deadline, verification mode, and whether funding should happen now; use `--no-fund` for drafts when uncertain.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill advertises very broad trigger phrases such as "hire someone for" and "I need someone to," which are common across many benign user requests and can cause the agent to invoke this skill in situations the user did not clearly intend. In this skill, mistaken invocation is more dangerous than usual because the skill can progress toward creating and funding a crypto-backed task, a real-world financial action with transactional consequences.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal