Security audit

MicroService Metric Skill

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only skill for reviewing Java code and suggesting monitoring metrics, with only minor activation and metadata cautions.

Install this if you want an agent to inspect Java source files and recommend monitoring metrics. Invoke it explicitly for Java metric-log analysis, and only allow optional AOP scanning when you are comfortable with the agent reading those project files. The unrelated crypto and purchase metadata tags should be corrected by the publisher or ignored unless a future version adds reviewed behavior for them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrase “添加监控” is very broad and could match many unrelated observability, alerting, tracing, infrastructure, or non-Java tasks. Because the skill is designed for Java business-metric identification, such a generic trigger increases the chance of accidental activation outside its safe and intended boundary.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrase “添加监控” is very broad and could match many unrelated observability, alerting, tracing, infrastructure, or non-Java tasks. Because the skill is designed for Java business-metric identification, such a generic trigger increases the chance of accidental activation outside its safe and intended boundary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal