C/C++ Comprehensive Cheat Sheets

Security checks across malware telemetry and agentic risk

Overview

This skill is a C/C++ reference helper that openly uses cppcheatsheet.com and does not include executable code or hidden system access.

Install this if you are comfortable with the agent consulting cppcheatsheet.com for C/C++ topics. Avoid using live fetching with proprietary code, secrets, or sensitive incident details, and review any generated shell, systemd, networking, or debugging commands before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Intent-Code Divergence

Low

Confidence: 89% confidence
Finding: The file instructs the agent to always retrieve external content from cppcheatsheet.com before acting, which creates an unnecessary dependency on untrusted remote content. In an agent setting, this can enable prompt injection, content tampering, or unintended data flows if the external site is compromised or returns adversarial instructions.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill description is extremely broad, covering nearly all C/C++/CUDA development tasks, system programming, debugging, shell scripting, and related tooling. That broad trigger scope can cause the skill to activate for generic engineering requests outside a narrowly bounded purpose, increasing the chance of unnecessary tool use, overcollection of context, or unsafe delegation to an external content source.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The activation rule says to use the skill whenever a user asks a C/C++ question or wants to write C/C++ code, which is effectively unbounded for a very common class of requests. In context, that broad condition is more dangerous because the skill also mandates live fetching from an external site, so ambiguous activation can lead to unnecessary network access and context exposure.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill explicitly requires always fetching content from an external site but provides no notice that user queries, code snippets, or other context may be transmitted off-platform. This creates a privacy and data-handling risk, especially for proprietary source code, internal architecture details, credentials accidentally included in prompts, or sensitive debugging information.

Vague Triggers

Low

Confidence: 84% confidence
Finding: The phrase "Always fetch relevant examples ... first" is an overly broad behavioral directive that can override task context and cause the agent to perform external retrieval without clear limits. Broad mandatory instructions like this increase the attack surface by encouraging automatic network access and making downstream prompt-injection from fetched material more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal