Security audit

Gestalt

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-style collaboration skill that openly changes agent behavior and can use repo memory files, with no hidden install behavior, credential access, exfiltration, or destructive automation found.

Install this if you want a direct, low-filler collaboration style. In coding-agent repos, expect it to create or use _memory, _tasks, and _comms files and to preserve durable decisions there; use it in trusted repositories, avoid saving secrets, and keep explicit control over commits, pushes, deletions, or other consequential changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (3)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill is presented as a conversational style mode, but the instructions expand its behavior into persistent repository state management across sessions. That creates a capability mismatch: enabling file-backed memory, continuity claims, and repo writes can cause unintended data retention, cross-session context leakage, and unauthorized modification of project files beyond what a style-only skill should do.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The `_tasks/`, `_comms/`, and `_memory/` mechanisms introduce durable storage and inter-agent communication channels that are not justified by a terse collaboration persona. These instructions can be abused to stash sensitive information, receive untrusted instructions from files, or influence future sessions indirectly, increasing the attack surface and persistence of harmful behavior.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The activation text is broad enough that ordinary requests for terseness, low-filler responses, or collaborative style could unintentionally enable the skill for the rest of the session. That can cause persistent behavior changes without clear user consent, which is risky in prompt-routing systems because it may override expected defaults or apply beyond the user's immediate request.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.