find-skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent guide for finding and installing other skills, but its global no-prompt install example should be used cautiously.

Before installing any recommended skill, review its source, publisher, and files. Prefer an interactive install without `-y`, and avoid global installation unless you want that skill available across your user environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger guidance is very broad and includes common phrases like 'how do I do X' or 'can you do X', which can cause this skill to activate in many unrelated situations. Unintended invocation matters here because the skill encourages package discovery and eventual installation from external sources, increasing the chance of unnecessary exposure to third-party content and command execution paths.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly recommends `npx skills add <owner/repo@skill> -g -y`, which performs global installation and suppresses confirmation prompts without any prominent warning about trust, provenance, or system-wide impact. In a skill whose purpose is to discover third-party packages from external sources, this creates a dangerous path to rapid installation of unreviewed code with reduced user awareness and fewer safety checkpoints.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal