Tdd

Security checks across malware telemetry and agentic risk

Overview

This is a coherent TDD/testing guidance skill with broad activation wording but no evidence of hidden access, persistence, exfiltration, or destructive behavior.

Install this if you want TDD and test-running workflow help. Because some activation phrases are broad, check that the skill is being invoked for an actual testing or verification task, and review any project test command before running it because local test scripts can execute code from the repository.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The manifest advertises many generic trigger phrases such as "doesn't work," "not working," "bug fix," "verify," and "run tests," which can match ordinary user requests far outside a narrow TDD context. This increases the chance of accidental over-invocation or routing the agent into this skill when the user did not explicitly intend to use it, potentially causing unexpected test-execution behavior or unnecessary access to project context.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger list includes broad terms such as "verify" and phrases like "run tests"/"execute tests" that can appear in many unrelated user requests. In an agentic system, this can cause unintended invocation of a skill that executes shell commands, increasing the chance of unnecessary or unsafe command execution in the workspace.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal