Skill Quality Evaluator

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for evaluating other skills, with disclosed report-writing behavior that users should keep scoped to intended files.

Install is reasonable if you want a checklist-based skill evaluator. Before using batch mode, point it only at the skill directory you intend to review, and avoid saving reports that include secrets, proprietary skill text, or sensitive internal evaluations unless persistent memory storage is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs the agent to save evaluation reports into a persistent memory path without warning the user or requiring confirmation. This can cause unintended modification of stored project data, create data retention/privacy issues, and let routine evaluation actions leave durable side effects that the user may not expect.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The batch workflow directs saving a summary report to a memory path, again without making the persistent write behavior explicit. In batch mode, the risk is amplified because repeated automated writes can accumulate sensitive metadata about many skills/projects and overwrite or clutter shared memory locations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal