Create MP Skill

Security checks across malware telemetry and agentic risk

Overview

This skill creates AI Skill files inside an existing mini-program project, and the project changes are disclosed, purpose-aligned, and gated by design confirmation steps.

Install this only if you are working in an existing mp-skills mini-program project and are comfortable letting the agent create a new skills/<name> package and register it in app.json. Review the proposed interface list and generated design documents before allowing code generation or validation to continue.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill explicitly instructs creating and registering files in an existing project, including changes under `skills/{skill-name}/` and `app.json`, but it does not clearly foreground that it will modify project state before doing so. In an agent setting, undocumented file modifications can surprise users, cause unintended source changes, and increase the risk of unsafe automation in sensitive repositories.

Natural-Language Policy Violations

Medium

Confidence: 82% confidence
Finding: The skill metadata and description are written to operate in Chinese without indicating that language choice should follow user preference. While not a direct code-execution risk, forcing a language can impair informed consent, reduce user understanding of planned modifications, and make security-relevant prompts or warnings less effective for non-Chinese-speaking users.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal