Orchestrator PM

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only project orchestrator, but it gives itself broad authority to create, archive, delete workflow files and interrupt sub-agents without clear user approval.

Review before installing. Use only in workspaces where automatic planning-file changes, delegated sub-agent work, archived strategy notes, and timeout-based interruption are acceptable. Prefer editing the skill to require approval before writing, deleting, archiving, spawning agents, or killing active agents.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill expands beyond orchestration into mandatory generation of insight tweets, portfolio analysis, and ongoing project artifacts every cycle. This creates scope creep and persistent side effects that are not clearly tied to the user's requested task, increasing the chance of silent data modification and unintended retention of inferred business analysis.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The instructions require routine writes to multiple files as a standing responsibility, not merely selecting or invoking the next agent. For an orchestrator skill, this broad write authority can overwrite workspace state, create hidden workflow artifacts, and amplify harm if the skill is triggered repeatedly or on sensitive repositories.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation guidance is extremely broad: 'Use when starting a session, after any agent completion, when NEXT_TICKET is missing/weak, or when a blocker requires escalation.' Over-broad invocation criteria increase the chance this powerful orchestration skill runs in contexts where the user did not intend file writes, task expansion, agent spawning, or cleanup actions, which can amplify mistakes across the workspace.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: Bucket classification relies on common everyday words like 'build,' 'fix,' 'research,' 'check,' and 'idea,' which can match routine conversation and cause unintended orchestration. Because this skill can infer extra tasks, create job boards, invoke spawner, and later archive/delete files, accidental triggering can lead to unauthorized workflow expansion and data modification.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly writes `workspace/JOB_BOARD.md` and later instructs deletion or archival of that file, but does not prominently warn the user that it will modify workspace state. Unannounced write/delete behavior is dangerous because it can overwrite planning artifacts, create misleading task state, or remove evidence needed for audit and recovery.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill authorizes killing sub-agents that exceed a timeout without surfacing this as a hazardous action to the user. Silent termination of running agents can interrupt long-running but legitimate work, corrupt partial outputs, lose context, or create inconsistent system state across dependent tasks.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Mandating file writes every cycle without user-facing disclosure causes silent persistence of generated content and workflow state. This is dangerous because users may not realize the skill is continuously mutating the workspace, which can affect audits, version control, and downstream agent behavior.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The risk scan protocol instructs the skill to persist findings and mitigations into project files automatically, even when operating silently. Silent security or business-risk writes can leak inferred sensitive information into the repository and alter project state without the user's awareness.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: Automatic archival of older insight data to monthly archive files introduces background data movement and retention behavior without disclosure. While lower impact than active routing writes, it still creates hidden persistence and may preserve information longer than users expect.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Requiring unconditional creation of `NEXT_AGENT.md` establishes a persistent workflow control file without warning the user that orchestration state will be written. Because downstream agents may trust this file, silent generation can influence execution flow and cause unintended chaining of actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal