Security audit

Before You Build Skill

Security checks across malware telemetry and agentic risk

Overview

This is a text-only product-risk review skill with disclosed, optional case lookup and no executable payload.

Install this when you want an agent to challenge a product or feature idea before building. Invoke it explicitly for product-risk review, not for code review, security review, or architecture decisions. If you approve the optional Case Memory lookup, share only a short non-confidential idea summary and do not send secrets, customer names, private financials, credentials, or unreleased details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list includes broad natural-language phrases such as 'Should I add this feature?' and 'The requirements changed. Sanity-check this before I implement it.' These can cause the skill to activate in ordinary product or engineering conversations where the user did not clearly request this specialized pre-build review, leading to misrouting, unnecessary instruction override, and accidental use of the skill's decision framework in the wrong context.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.