Back to skill

Security audit

Coding Guidelines

Security checks across malware telemetry and agentic risk

Overview

This is a Markdown-only coding guidance skill with broad but disclosed programming-workflow instructions and no hidden execution behavior.

Safe to install as a coding-assistance guide. On sensitive projects, be aware it may encourage the agent to read relevant files, consult stored coding preferences, write planning notes, and delegate larger work to subagents, so keep secrets and unrelated private files out of the working context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description says to use the skill when the user asks for help with programming tasks and that it triggers on coding tasks, code reviews, architecture discussions, and AI coding workflows. These categories are expansive and do not provide clear boundaries or exclusion conditions, which could cause the skill to activate for ordinary developer conversations beyond the intended scope.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
references/context-engineering.md:22