Back to skill

Security audit

English Listening Coach

Security checks across malware telemetry and agentic risk

Overview

The skill is a normal English listening coach, but its metadata claims wallet and sensitive-credential capabilities that do not fit the lesson workflow.

Install only if the platform does not actually request wallet access, passwords, tokens, browser sessions, or other sensitive credentials. If any such permission prompt appears, decline unless the publisher provides a clear, specific reason tied to English listening practice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger guidance is extremely broad and instructs activation for generic study/help phrases such as 'give me an English lesson' or 'let's do some English practice.' In an agent environment, this can cause the skill to hijack ordinary educational queries without clear user intent, leading to misrouting, unwanted workflow execution, and reduced user control over how the assistant responds.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation description lacks boundaries and negative examples, so the agent has little guidance on when not to use the skill. This ambiguity increases the chance of over-triggering on broad education-related prompts and can degrade reliability by forcing a fixed coaching flow where it may not fit the user's actual request.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill repeatedly frames the interaction as an English-only lesson flow without indicating user choice, confirmation, or opt-in for language mode. In practice, this can override user preferences or accessibility needs, especially when a user wants bilingual support, explanation in another language, or a different learning format.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger description is extremely broad and instructs activation for many generic phrases about studying or practicing English. This can cause the skill to hijack ordinary educational conversations, leading to unintended web fetching, unexpected long-form interactions, and reduced user control over what behavior is invoked.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.