Back to skill

Security audit

技术方案书全自动写作

Security checks across malware telemetry and agentic risk

Overview

This writing skill is not plainly malicious, but it can set up unattended background writing that keeps reading and changing project files without fresh approval.

Install only if you intentionally want unattended proposal generation. Before enabling cron or HEARTBEAT continuation, review the scripts, keep projects in a dedicated workspace, set autoContinue to false unless a project should continue automatically, and avoid copying agent directories or reference materials that may contain secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The guide goes beyond describing a writing workflow and provides operational deployment steps that create files, install scripts, configure agents, and schedule recurring execution via cron. In a skill context, this materially expands the capability from document generation to persistent local automation, which can modify user data and continue acting after initial invocation.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill introduces host-level scheduling and heartbeat-triggered execution that operate outside the immediate document-writing request. This is dangerous because it enables persistent autonomous behavior on the host, potentially spawning new sessions, scanning project directories, and modifying files without a fresh user action each time.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The migration instructions copy agent configurations from the user's home directory into other instances, expanding filesystem access beyond the stated writing task. This can expose sensitive prompts, secrets, or local agent settings and encourages broad home-directory interaction without adequate warnings or least-privilege boundaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document advertises progress persistence and fully automatic execution but does not clearly warn that the skill will create and update files under workspace directories. This is dangerous because users may invoke what appears to be a writing assistant without understanding that it persists state and modifies the filesystem across sessions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The guide instructs enabling cron/heartbeat-based auto-continuation that can spawn new sessions and keep processing after the original interaction ends, without a prominent warning or approval checkpoint. Background scheduled execution increases risk because it can repeatedly read and write project data, consume resources, and perform unintended actions long after the user expects processing to stop.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The migration guide instructs operators to enable unattended automatic continuation via Cron or heartbeat checks, but it does not include safeguards, approval gates, or warnings that these background actions may modify project files and continue generating content without user review. In a skill that writes into workspace/projects and triggers follow-on executors, this creates a real risk of unintended data modification, runaway automation, or silent overwrites if the mechanism is misconfigured or triggered on the wrong project.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quick reference explicitly documents unattended continuation via Cron, heartbeat checks, and proactive triggering, but does not warn users that the skill may keep generating files and outputs on a schedule without an active confirmation step. In this skill's context, that is more dangerous because it orchestrates long-running multi-agent writing workflows and updates project state files automatically, increasing the chance of unintended content generation, resource consumption, or background execution beyond the user's expectations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promises automatic persistence of project progress to files and fully unattended continuation across sessions, but it does not warn users about where data is stored, what content may be retained, or the operational consequences of autonomous execution. In a skill that processes large proposal documents and reference materials, this can expose sensitive business data, create unexpected filesystem side effects, and allow long-running activity without explicit user awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to install heartbeat/Cron-based automatic execution that periodically resumes unfinished projects, effectively enabling unattended agent activity. Without strong warnings, access controls, scope limits, and review checkpoints, this can cause repeated autonomous processing, unexpected resource consumption, and continued handling of potentially sensitive documents long after the initiating session has ended.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill describes automatic creation and modification of project files, progress trackers, continuation instructions, triggers, and logs without an explicit warning that local files will be changed. This is dangerous because users may invoke a writing skill expecting content generation, not persistent state changes and background workflow artifacts across directories.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill accepts reference materials via URLs and describes automated processing without warning users about remote fetching or possible transmission of provided data into downstream processing. This creates privacy and supply-chain risk because sensitive URLs or fetched content may be retrieved, summarized, logged, or used by subagents without clear consent.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.