tacit-knowledge-worker

Security checks across malware telemetry and agentic risk

Overview

This is a coherent markdown-only workflow for interviewing users, generating agent operating documents, and checking deployment readiness, with no hidden execution, credential use, network behavior, or destructive actions found.

Install only if you want a structured agent-design workflow. During the interview, avoid sharing secrets, credentials, regulated data, or unnecessary personal details, and keep verification paths limited to files you intentionally created or modified for the project.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill’s invocation guidance is very broad, telling an agent to use this workflow whenever it is 'building or deploying a new AI agent.' That can cause over-triggering in generic contexts, unexpectedly inserting a long interview, file-generation, and governance workflow into unrelated tasks, which increases the chance of unnecessary data collection and unsafe autonomous behavior.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to extract tacit knowledge, preferences, stakeholder information, schedules, quality criteria, and past examples, but provides no privacy notice, minimization rule, or sensitivity screening. In practice, this can lead users to disclose confidential business processes, personal data, or regulated information that is then persisted into multiple OS files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal