Rule Toolkit

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill has a coherent automation purpose, but it asks agents to rewrite authoritative rule files and create auto-running hooks in ways users should review carefully before installing.

Install only if you want an agent to generate enforcement tooling for project rules. Before using it, require a reviewed diff for any edits to CLAUDE.md, agents.md, soul.md, tools.md, bootstrap.md, or similar policy files, and do not allow rule removal unless you have confirmed the generated tools fully preserve the intended behavior. Treat generated hooks as code that runs automatically: restrict file patterns, avoid broad write commands, and review every command before enabling it.

SkillSpector (3)

By NVIDIA

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The skill tells the agent to remove 'toolified' rules from source constraint files while elsewhere claiming existing rules will be preserved. In a security-sensitive context, deleting or rewriting policy files can silently weaken governance, erase human-review safeguards, or remove non-toolable constraints that were misclassified, causing lasting policy drift.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The cleanup section directs modification of source constraint files without an explicit warning that this changes authoritative project policy. Because these files often encode security, workflow, and approval requirements, silent cleanup can lead users to approve destructive edits without understanding that behavioral safeguards are being removed from the prompt layer.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This documentation promotes server-side hooks that automatically execute shell commands and modify files, including examples that run `eslint --fix`, `prettier --write`, and shell pipelines without any explicit warning about side effects, trust boundaries, or command-safety considerations. In a skill whose purpose is to convert rules into enforceable automation, this increases the chance that an agent or user will adopt auto-executing commands on write/reply events without understanding that they can change files, leak data through command output, or execute unsafe shell content.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal