Back to skill

Security audit

Skill Kit

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real skill-management toolkit, but it needs Review because it can persist hooks, install global skills, move/delete skill files, and commit repository changes with incomplete safeguards.

Install only if you are comfortable with a skill that can manage your local skill ecosystem. Before using it, review `scripts/trigger-compile.sh`, avoid unattended `-y` global installs, run trigger compilation in dry-run mode first, and confirm exact paths before backup deletion, agent conversion, hook registration, or git commit workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (32)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill clearly instructs use of shell-like commands and external tooling such as `npx skills`, but it does not declare permissions or otherwise bound those capabilities. Undeclared execution capability increases the chance that an agent invokes commands without appropriate review or policy gating, especially because this skill is positioned as a general management toolkit that can modify skills and settings.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document states that Stop-event inject triggers fire only once per session using flag files, but the generated dispatcher example performs unconditional injection and shows no session-state check. This mismatch can cause repeated forced system-message injection, creating unexpected behavior, prompt-loop risks, or persistent automation that is stronger than the documentation suggests.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill mandates staging, committing, branching, and potentially PR-oriented repository operations in ~/.agents as part of a content-upgrade flow. That gives the skill authority to persist and publish changes well beyond editing the target skill, creating a strong risk of unintended source-control side effects or unauthorized propagation of modifications.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The instructions tell the agent to extract content from the target skill and append it into ~/.claude/skills/cleanup/data/failed-attempts.md, which modifies an external skill/data store unrelated to the requested target. Cross-skill writes create data exfiltration and integrity risks because information from one workspace can be silently persisted into another location without the user's focused consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are very broad and include common requests like `create skill`, `add topic`, and `install skill`, which can cause this skill to activate in unrelated contexts. Because the skill includes actions that generate hooks, register settings, discover/install external skills, and upgrade existing skills, unintended invocation could lead to unnecessary file changes or risky external operations.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The SKILL.md template explicitly encourages free-form trigger phrases like "{trigger1}", "{trigger2}" without requiring them to be specific, scoped, or bounded by exclusion conditions. In an agent skill system, overly broad triggers can cause incorrect auto-selection or invocation of the skill, leading to unintended execution paths, misrouting, or instruction collisions with other skills.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description format guidance permits embedding trigger phrases directly in the description string without any guardrails on ambiguity, overlap, or activation scope. Because this skill is about creating and upgrading other skills, that pattern can propagate weak trigger design across many generated skills, increasing the chance of accidental dispatch, prompt routing errors, and instruction exposure at scale.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs moving the original agent file into a backup location and the checklist says 'Delete original' without any warning, confirmation step, or guidance to verify the converted skill first. This can cause accidental loss of working configuration or user data, especially if the backup directory does not exist or the migration is performed incorrectly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill recommends deleting all old backups with `~/.claude/skills/.bak/*` and labels that action as "Recommended," but it does not include a clear warning that this is irreversible and may permanently remove recoverable user data. In a skill-management context, users may reasonably trust the workflow and follow the recommendation without realizing they are deleting their only fallback copies.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger examples are broad enough to match many ordinary user requests such as 'can you do X' or 'how do I do X', which can cause this skill to activate in situations where the user did not explicitly ask to search or install third-party skills. In this context, over-triggering is risky because the skill steers the agent toward external package discovery and potential installation from an open ecosystem, expanding the attack surface.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file provides direct installation commands for third-party skills from an open ecosystem, including unattended installation with '-y', but does not prominently warn that this executes untrusted package retrieval and setup. Verification advice based on popularity and reputation is not an adequate security control, so a user or agent may install malicious or compromised content with insufficient review.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill includes filesystem-altering commands that move user skill directories into a backup location, but it does not prominently warn about the scope, prerequisites, or rollback procedure before presenting the commands. In an agentic workflow, even 'backup instead of delete' operations can still disrupt configured skills, overwrite existing backups, or move unintended paths if placeholders are resolved incorrectly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow includes committing changes to the user's git repository, but the skill's top-level description does not clearly warn that running upgrade can create commits/branches as a side effect. Hidden persistence in version control is dangerous because users may invoke a content-editing skill without expecting repository state changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs writes and moves outside the target skill, including appending to failed-attempts.md and backup-related filesystem operations, without a clear top-level disclosure. This creates unexpected filesystem side effects and increases the chance of leaking or mutating data outside the user's intended scope.

Agent Config Directory Access

High
Category
Agent Snooping
Content
find ~/.claude/skills -name "SKILL.md" ! -path "*.bak*" -exec sh -c \
  'head -10 "$1" | grep -q "^name:" || echo "name missing: $1"' _ {} \;

find ~/.claude/skills -name "SKILL.md" ! -path "*.bak*" -exec sh -c \
  'head -10 "$1" | grep -q "^description:" || echo "description missing: $1"' _ {} \;

# Invalid fields
Confidence
95% confidence
Finding
find ~/.claude/

Agent Config Directory Access

High
Category
Agent Snooping
Content
'head -10 "$1" | grep -q "^description:" || echo "description missing: $1"' _ {} \;

# Invalid fields
grep -r "^triggers:" ~/.claude/skills --include="SKILL.md" | grep -v ".bak"
grep -r "^tools:" ~/.claude/skills --include="SKILL.md" | grep -v ".bak"

# Frontmatter position (must start on line 1)
Confidence
95% confidence
Finding
grep -r "^triggers:" ~/.claude/

Agent Config Directory Access

High
Category
Agent Snooping
Content
# Invalid fields
grep -r "^triggers:" ~/.claude/skills --include="SKILL.md" | grep -v ".bak"
grep -r "^tools:" ~/.claude/skills --include="SKILL.md" | grep -v ".bak"

# Frontmatter position (must start on line 1)
find ~/.claude/skills -name "SKILL.md" ! -path "*.bak*" -exec sh -c \
Confidence
95% confidence
Finding
grep -r "^tools:" ~/.claude/

Skill Enumeration

Medium
Category
Agent Snooping
Content
## Scan Paths

1. `~/.claude/skills/` - Personal skills
2. `~/.claude/plugins/marketplaces/*/plugins/*/skills/` - Plugin skills
3. `.claude/skills/` - Project skills

## Validation Rules
Confidence
87% confidence
Finding
ls 3. `.claude/skills

Skill Enumeration

Medium
Category
Agent Snooping
Content
# Single skill
skills-ref validate ~/.claude/skills/<skill-name>

# All personal skills
for d in ~/.claude/skills/*/; do
  [ -f "$d/SKILL.md" ] || continue
  echo "=== $(basename "$d") ==="
Confidence
90% confidence
Finding
ls for d in ~/.claude/skills

Skill Enumeration

Medium
Category
Agent Snooping
Content
find ~/.claude/skills -name "SKILL.md" ! -path "*.bak*" -exec sh -c \
  'head -10 "$1" | grep -q "^name:" || echo "name missing: $1"' _ {} \;

find ~/.claude/skills -name "SKILL.md" ! -path "*.bak*" -exec sh -c \
  'head -10 "$1" | grep -q "^description:" || echo "description missing: $1"' _ {} \;

# Invalid fields
Confidence
93% confidence
Finding
find ~/.claude/skills

Skill Enumeration

Medium
Category
Agent Snooping
Content
# VENDOR_PAT escapes the leading dot so the bare `grep -nE "$VENDOR_PAT"` body scan matches `.ralph/` etc.
VENDOR_PAT='\.ralph/|\.omc/|\.codex/|\.ai/'

for skill_dir in ~/.claude/skills/*/ ~/.agents/skills/*/; do
  skill_name=$(basename "$skill_dir")
  skill_md="$skill_dir/SKILL.md"
  [ -f "$skill_md" ] || continue
Confidence
94% confidence
Finding
dir in ~/.claude/skills

Agent Config Directory Access

High
Category
Agent Snooping
Content
set -euo pipefail

HOOKS_DIR="$HOME/.claude/hooks"
SETTINGS="$HOME/.claude/settings.json"
SKILLS_DIRS=("$HOME/.claude/skills")
DRY_RUN=false
LIST_ONLY=false
Confidence
96% confidence
Finding
/.claude/settings.json

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
|-----------|-----------|
| `name` | Keep as-is (suffix removal recommended) |
| `description` | Add triggers keywords |
| `tools` | Remove (skills use all tools by default) |
| `model` | Keep (optional) |
| Script references | Copy to `scripts/` folder, change to relative paths |
Confidence
87% confidence
Finding
use all tools

Self-Modification

High
Category
Rogue Agent
Content
Follow the [writer.md](./writer.md) guide to create the skill structure:

1. Create folder: `mkdir -p ~/.claude/skills/<skill-name>/scripts`
2. Write SKILL.md (frontmatter + body)
3. Copy scripts and `chmod +x`

### 4. Move Original
Confidence
80% confidence
Finding
Write SKILL

Session Persistence

Medium
Category
Rogue Agent
Content
| `model` | Keep (optional) |
| Script references | Copy to `scripts/` folder, change to relative paths |

### 3. Create Skill

Follow the [writer.md](./writer.md) guide to create the skill structure:
Confidence
78% confidence
Finding
Create Skill Follow the [writer.md](./writer.md) guide to create the skill structure: 1. Create folder: `mkdir -p ~/.claude/skills/<skill-name>/scripts` 2. Write SKILL.md (frontmatter + body) 3. Cop

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.