Nm Scribe Session To Post

Security checks across malware telemetry and agentic risk

Overview

This appears to be a content-drafting skill whose repository reading and draft-file creation fit its stated blog or marketing purpose, with some caution around broad activation and working-tree changes.

Install only if you want an agent to inspect project context and create blog or marketing drafts in your repository. Before use, confirm the target output path and review generated posts before committing or publishing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger list includes very broad, common terms like "blog" and "marketing", which increases the chance that the skill is invoked in contexts where the user did not specifically intend this capability. Because the skill then encourages repository inspection, command execution, and content generation, accidental invocation can lead to unnecessary exposure of project context and unintended side effects.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly directs the agent to write generated content to `docs/posts/` without requiring user confirmation or warning that repository contents will be modified. In an automated or loosely supervised workflow, this can create unintended files, pollute commits, or overwrite expected documentation paths.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal