Team Collab

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed multi-role AI collaboration skill with broad triggers and stale helper files, but no evidence of hidden, destructive, credential-seeking, or exfiltrating behavior.

Install only if you want a multi-role AI collaboration workflow. Use explicit wording when invoking teams, avoid sharing secrets because role windows may retain context, and run the included project-start script only in a new intended folder.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Broad trigger phrases such as team names and adjacent business/content terms can cause unintended invocation in unrelated conversations. In an agentic setting, accidental activation may launch inappropriate workflows, route prompts to the wrong role set, or cause the system to perform actions the user did not explicitly intend.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The quick-start table presents ambiguous invocation terms without clear boundaries, making accidental or adversarial triggering easier. In a multi-role collaboration skill, this can misroute tasks, create unintended agent orchestration, and bypass the user's expectation of deliberate activation.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal