Shell Script

Security checks across malware telemetry and agentic risk

Overview

This is a visible shell-script helper with powerful templates to review before use, but it does not show hidden or deceptive behavior.

Install only if you want a shell-script helper. Before running any generated deploy, setup, monitor, or backup script, review paths, hosts, deletion flags, firewall and SSH changes, and service restart commands. Avoid passing secrets as command arguments because the helper can log arguments locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill advertises a very broad trigger surface ('Use when you need shell script capabilities. Triggers on: shell script.') without meaningful activation boundaries, which can cause the agent to invoke shell-oriented behavior in contexts where it is not appropriate. Because this skill can generate deployment, setup, monitoring, and backup scripts, overbroad activation increases the chance of unsafe command generation or unintended operational guidance being surfaced in sensitive contexts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal