Skill Kit

Security checks across malware telemetry and agentic risk

Overview

This looks like a real skill-management toolkit, but it needs Review because it can make persistent hook, install, deletion, and git changes with some under-scoped safeguards.

Install only if you are comfortable with a skill that can create, move, and delete skill files, install external tooling or other skills, query ClawHub for slug availability, register persistent Claude hooks, and stage or commit public skill changes. Prefer dry-run modes, avoid global or -y installs unless you explicitly want them, review generated hook scripts and settings.json before enabling them, and keep backups before running merge, dedup, convert, or cleanup flows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (15)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill is presented as a frontmatter lint/fix tool, but it instructs scanning unrelated files such as ~/.agent/rules/*.md and .ralph/PROMPT.md for skill references. That broadens data access beyond the stated purpose and can expose unrelated project or personal configuration content, violating least-privilege expectations for a lint task.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The file embeds installation and upgrade procedures for external tooling inside a lint skill, expanding capability from validation into environment modification. This increases the attack surface because a user invoking a simple linter may be induced to install or alter tools they did not intend to trust or run.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill recommends network-based installation commands, including direct script execution from remote URLs, for a task that should be local validation. Remote fetch-and-execute patterns are dangerous because they delegate trust to external infrastructure and can lead to arbitrary code execution if the source, transport, or repository is compromised.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The route topic is supposed to classify and recommend placement for topics, but it also instructs the agent to perform external slug-availability checks against clawhub.ai before recommending a new skill. That expands the skill's scope from local analysis into network interaction and disclosure of proposed skill names to a third party, which is not necessary for routing and creates an avoidable data exfiltration and external-dependency risk.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This section expands a content-editing skill into broad repository operations including branching, staging, committing, pushing, and PR workflow. That increases the authority of the skill far beyond document maintenance and can lead an agent to make durable source-control changes without a narrowly scoped user request, especially if the skill is auto-invoked during innocuous editing tasks.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The workflow instructs writes to ~/.claude/skills/cleanup/data/failed-attempts.md, which is outside the target skill being upgraded. Cross-skill writes violate least privilege and create a path for unintended modification of unrelated skills' data, making the upgrade operation stateful and harder to audit.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The description contains many broad trigger phrases such as "create skill," "find skill," "install skill," and "frontmatter fix," which could match common user requests and cause the skill to activate more often than intended. Because this skill can lead to file edits, hook registration, and external CLI usage, over-broad invocation increases the risk of unintended privileged actions in unrelated contexts.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill describes operations that can auto-generate hook scripts and auto-register them in `settings.json`, but it does not prominently warn users that files and configuration may be modified. That omission is especially risky here because the documented workflow includes persistent environment changes, which may surprise users and weaken informed consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the user to move the original agent file into a backup location and the checklist says to delete the original, but it provides no warning, confirmation step, or verification that the backup directory exists and the conversion succeeded first. In a skill-management context, these are real filesystem changes that can cause accidental loss of working agent definitions or incomplete migrations if followed blindly.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The instructions direct the agent/user to create directories, write SKILL.md, copy scripts, and change permissions in user-controlled paths without warning that persistent filesystem modifications will occur. While these are normal setup actions, undisclosed writes and permission changes can still surprise users and lead to unintended persistence or execution exposure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill offers a deletion option for backup folders without an explicit warning that the action is permanent and may remove recovery copies. In a skill-management context, users may reasonably assume backup cleanup is low risk, so missing friction or warning increases the chance of accidental data loss.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger examples are very broad and overlap with normal user requests such as 'how do I do X' or 'can you do X'. In an agent setting, that can cause this skill to activate too often and steer the model toward package discovery and installation workflows even when the user only wanted general advice, increasing the chance of unnecessary third-party skill recommendations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The install guidance includes `-g` and `-y`, which perform a global install and suppress confirmation, but the warning is limited to name-collision concerns rather than security or system-wide effects. This can normalize silent installation of third-party content into a persistent environment, reducing user awareness and increasing the risk of accidental or unsafe package installation.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill includes a permanent deletion command for backup data (`rm -rf ~/.claude/.bak/{skill-name}`) but does not pair it with an explicit warning that the action is irreversible or require confirmation before use. In an agent skill context, documenting destructive shell commands without guardrails increases the chance of accidental data loss, especially when users may copy-paste commands verbatim.

Natural-Language Policy Violations

Medium

Confidence: 81% confidence
Finding: The language policy mandates output language based on detected existing content rather than current user intent. That can suppress or override explicit user instructions and cause unauthorized transformation of content semantics, especially when trigger keywords and frontmatter are modified automatically.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal