Back to skill

Security audit

English Writing Coach

Security checks across malware telemetry and agentic risk

Overview

This is a writing-coach skill with educational instructions and no evidence of hidden code, data theft, destructive behavior, or privileged access.

Install this if you want an English writing tutor for drafts, essays, emails, or practice drills. Be aware that its broad trigger examples may make it activate for general writing-help requests, and scheduled practice may default to English unless you specify otherwise.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

High
Confidence
93% confidence
Finding
The README instructs the agent to trigger on very broad, everyday phrases like 'can you fix my writing' or 'I want to write better,' which can cause the skill to activate in contexts where the user did not explicitly request this specialized workflow. Over-broad routing can lead to unintended behavior, prompt hijacking of unrelated requests, or inappropriate collection/processing of user text under the wrong skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The repeated invocation guidance stays general and does not define boundaries or exclusions, increasing the chance that the skill is selected for adjacent but unintended tasks. In agentic environments, ambiguous routing guidance can degrade safety and reliability by overriding more appropriate skills or system behavior.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The starter prompts reinforce vague trigger phrases without clarifying constraints, which operationalizes the over-broad matching guidance for deployers. While not directly exploitable like code execution, this increases the risk of accidental invocation and misrouting of benign user requests.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill description is written to trigger on very broad, everyday phrases such as 'can you fix my writing' or 'I want to write better,' which can cause the agent to over-select this skill for loosely related requests. This is dangerous because it can override more appropriate skills or user intent, leading to misrouting, unexpected behavior, and reduced trust in the system rather than a direct exploit.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The scheduled drill explicitly instructs that the task text must be kept in English, without checking user language preference or prior consent. This can produce inaccessible or unwanted output for users who expect another language, especially in scheduled or proactive contexts where no immediate clarification is requested.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.