Security audit

Matt Pocock Skills (Kimi)

Security checks across malware telemetry and agentic risk

Overview

This skill bundle is not malware, but it gives very broad auto-triggered workflow instructions that can write project files and publish PRD content to issue trackers without sufficiently tight activation boundaries.

Install only if you want these workflows to auto-activate during normal coding conversations. Review and narrow the trigger phrases before enabling, and require confirmation before writing project docs, creating handoff files, saving issue-tracker config, or publishing GitHub issues. Back up or check your existing .agents/skills directory before copying the bundled skills.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (15)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The README states that the skill will 'automatically trigger in appropriate scenarios' without defining concrete activation boundaries, approval requirements, or safety guards. In an agent ecosystem, broad auto-triggering can cause the skill to activate on loosely related prompts and steer behavior such as installation, file operations, or workflow changes without sufficiently explicit user intent.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The natural-language install instruction ('帮我安装 ... 的 skill') is generic enough to overlap with ordinary user requests about the repository, making unintended installation more likely in systems that support model-invoked skills. Because this repository is specifically designed for automatic invocation in Kimi/OpenClaw environments, ambiguous install phrasing increases the chance of unauthorized or surprising skill acquisition.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The installation instructions direct users to copy directories into a live local skills path without any warning about overwriting existing content, version conflicts, or trust review. In an agent ecosystem, replacing or shadowing skills can change later agent behavior and introduce unreviewed prompt logic into the user's environment.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger list is very broad and includes generic bug-related words in both Chinese and English, which can cause the skill to activate during ordinary conversation rather than only when the user explicitly wants a structured debugging workflow. In an agent setting, overbroad auto-invocation can steer the assistant into an unintended process, consume tokens, and override more appropriate skills or direct user intent.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The keyword block repeats highly ambiguous triggers such as 'fail', 'broken', 'slow', and general Chinese bug terms without defining boundaries for domain, modality, or exclusions. This increases the chance of accidental invocation from normal discussion, status summaries, or non-software contexts, leading to workflow hijacking and reduced reliability of skill routing.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger description is overly broad and can cause the skill to activate during ordinary project discussions without clear user intent. Because this skill writes and updates repository files such as CONTEXT.md and ADRs, accidental invocation can lead to unauthorized or surprising documentation changes and steer the conversation into a prescribed workflow.

Vague Triggers

Medium

Confidence: 97% confidence
Finding: The listed trigger keywords are common phrases used in normal software conversations, making unintended activation likely. In this skill, unintended activation is more dangerous than usual because it chains into other skills and performs persistent repository modifications, increasing the chance of workflow hijacking or undesired state changes.

Vague Triggers

High

Confidence: 95% confidence
Finding: The auto-trigger keyword list is extremely broad, including generic terms like 'plan', 'design', '需求', and '思路'. In a model-invoked skill system, this can cause the skill to activate during ordinary conversation, unexpectedly changing agent behavior, increasing prompt-surface exposure, and leading to unnecessary codebase exploration or persistent questioning without clear user intent.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The invocation description says the skill should trigger in several broad scenarios but does not clearly define when it must stay inactive. This ambiguity can cause over-activation, making the agent ask excessive questions or inspect the codebase when the user only mentioned planning or design casually.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger list includes very generic phrases such as '继续', '分几步做', and '多会话', which can appear in ordinary conversation without any intent to create a handoff artifact. In a model-invoked skill, this can cause unintended activation, leading the agent to summarize and persist conversation content to the workspace when the user only meant to continue the discussion normally.

Vague Triggers

Low

Confidence: 82% confidence
Finding: The condition 'grilling 对齐后需要进入多会话实现阶段' is workflow-dependent and not objectively verifiable from a single utterance, so the model may infer activation too aggressively. This ambiguity increases the chance of the skill firing based on internal interpretation rather than clear user consent, causing unnecessary file creation and disclosure of conversation summaries.

Vague Triggers

High

Confidence: 94% confidence
Finding: The trigger phrases include very broad terms such as '写功能', '实现', '开发', and even '测试', which are common in ordinary engineering conversations. This can cause unintended auto-invocation of the skill, steering the agent into a prescriptive TDD workflow when the user did not explicitly request it, creating workflow hijacking and potentially unsafe autonomous behavior in coding contexts.

Vague Triggers

High

Confidence: 95% confidence
Finding: The dedicated trigger list repeats ambiguous activation keywords without constraints, including generic terms like '实现', '开发', '测试', '重构', and '修 Bug'. In an auto-triggered skill system, this broad matching increases the chance of accidental activation across many unrelated requests, which can override user intent and cause inappropriate code-generation or test-running behavior.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill declares many broad trigger phrases such as 'PRD', 'spec', '写成文档', and similar natural-language terms that can easily appear in ordinary discussion without the user intending to invoke an agent skill. Because this skill can proceed to inspect the repository and publish content to an issue tracker, accidental invocation could cause unintended data exposure or unwanted external side effects.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger section includes ambiguous conversational phrases like '记下来', '形成文档', and '对齐完了，写一下吧', which are common in normal collaboration and not specific to this skill. In context, this is more dangerous because the skill is designed to transform conversation into a PRD and potentially write to GitHub or local files, so an unintended match can create unauthorized or premature artifacts.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal