Xiaguang Harness [DEPRECATED → use trinity-harness]

Security checks across malware telemetry and agentic risk

Overview

This is a workflow guidance skill for software tasks; its activation wording is broad, but the artifacts do not show hidden execution, data access, or unsafe behavior.

Safe to install based on the inspected artifacts. Be aware that the skill may activate broadly on common engineering words, so users who want tighter control should narrow its trigger description or invoke it only for multi-step software development workflows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The manifest description says to use the skill when the user says 'build', 'plan', 'spec', 'review', 'ship', or 'debug'. Several of these are common words in everyday engineering conversation and the file does not provide negative examples or tighter activation constraints, making the invocation boundary ambiguous.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal