Nm Abstract Skill Authoring

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill-authoring guide with minor activation and installation caveats, but no hidden execution, exfiltration, or destructive behavior.

Reasonable to install if you want guidance for authoring Claude Code skills. Review the broad triggers if unwanted activation would bother you, and treat the deployment copy examples as local writes that should only be run for skills you have reviewed and trust.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list includes broad terms like "writing," "validation," and "authoring," which can cause this skill to activate in many unrelated contexts. Overly broad activation increases the chance that users or agents invoke guidance unnecessarily, which can bias behavior, consume context budget, and interfere with more appropriate skills.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The checklist instructs copying a skill directly into `~/.claude/skills/`, which modifies user-local files but does not explicitly warn the operator about the write or recommend reviewing the source before installation. In a skill-authoring/deployment context this is not inherently malicious, but it can normalize unsafe installation behavior and increase the chance of installing unreviewed or unsafe content into an active skill directory.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal