Back to skill

Security audit

First Principles Thinking

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a disclosed Convex development helper, with only a broad auto-invocation setting worth noticing.

Install only if you want this skill to help with Convex-related development. Because it can be implicitly invoked, pay attention when the agent starts making Convex setup, auth, migration, or performance changes, and review edits involving packages, environment variables, auth providers, or data migrations before applying them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill enables `allow_implicit_invocation: true` without any trigger constraints, exclusions, or scoping controls. That means the system may auto-select this skill in loosely related conversations, increasing the chance of unintended activation, prompt-surface expansion, and interference with other agent behaviors even though the skill itself appears generally benign.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.