add-educational-comments

Security checks across malware telemetry and agentic risk

Overview

This is a simple instruction-only skill for adding educational comments to user-selected code files, with its main effects disclosed.

Use this only on files you intend to modify, preferably under version control. Review the resulting diff because it may add many comments, and provide only trusted reference URLs if you use the optional Fetch List.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill includes an optional `Fetch List` of URLs even though its stated purpose is only to add educational comments to local files. Allowing network retrieval in a file-editing skill expands the trust boundary unnecessarily and can expose the agent to prompt injection, retrieval of attacker-controlled content, data exfiltration via outbound requests, or unexpected use of untrusted material in generated edits.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal