Skill Optimizer 0330

Security checks across malware telemetry and agentic risk

Overview

This is a skill-definition optimizer, but its broad high-priority auto-trigger rules could make it run during unrelated agent conversations.

Install only if you want a proactive SKILL.md optimizer. Before use, narrow triggers to explicit phrases like optimizing or auditing a named SKILL.md file, remove generic standalone triggers such as skill and agent, require confirmation before any rewrite, and prefer a pinned reviewed artifact over the README's live GitHub install commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (15)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The README claims the skill can detect SKILL.md creation/modification and proactively prompt for optimization, which expands the skill from a passive document optimizer into a monitoring/auto-invocation behavior. In an agent ecosystem, that kind of implicit trigger surface can cause unexpected execution, analysis of files the user did not explicitly submit, and erosion of user consent boundaries.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Advertising auto-triggering on extremely generic keywords such as “skill”, “技能”, and “agent” makes accidental invocation very likely in normal conversation. For a skill that can analyze and rewrite SKILL.md files, broad triggers create a prompt-routing risk where unrelated requests may activate the optimizer and cause unintended file handling or instruction interference.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill’s stated purpose is optimizing SKILL.md files, but it also authorizes autonomous activation based on file changes and quality scores without a direct user request. That expands behavior beyond the declared scope, creating unintended privilege and action creep that can cause unsolicited execution in unrelated contexts.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill claims environment-style monitoring behavior such as detecting recent file changes and checking quality thresholds, even though those capabilities are not necessary for SKILL.md optimization. This creates an unnecessary monitoring surface and may lead the agent to infer or act on ambient state the user did not ask it to use.

Intent-Code Divergence

Medium

Confidence: 79% confidence
Finding: The skill promises to strictly preserve original intent and functionality, but later requires modularization through hypothetical dynamic reference loading. That can materially change runtime behavior, dependencies, and failure modes, making the preservation claim misleading and potentially causing silent behavior drift.

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger list is intentionally broad and includes generic terms like '检查', '提升', 'skill', and 'agent', which are likely to match normal conversation rather than a clear request to invoke this skill. In an agent environment, this can cause unintended routing, over-collection of context, and repeated unsolicited activation that interferes with user intent and other skills.

Vague Triggers

High

Confidence: 97% confidence
Finding: The automatic invocation rules authorize activation on ambiguous signals such as mere mention of skill-related terms, recent file changes, or a quality score threshold. This creates a path for the skill to monitor and act on unrelated activity without a clear user request, increasing the risk of privacy boundary violations, user confusion, and unintended workflow hijacking.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The examples normalize activation from weak signals like '效果不好', file creation events, or comparison requests, teaching the system to treat loosely related context as authorization. This broadens the practical attack surface because users or other content can accidentally or deliberately cause the optimizer to engage where no optimization request was made.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The public-facing description highlights auto-trigger behavior but does not clearly warn users that file changes may be monitored and that the skill may proactively intervene. Lack of transparent disclosure undermines informed consent and can lead to unexpected analysis of user files or workflows, especially in environments where users assume tools run only when directly asked.

Vague Triggers

High

Confidence: 96% confidence
Finding: The trigger list includes very generic terms such as "check," "skill," and "agent," combined with `auto-trigger: true` and `priority: high`. This creates a real risk of unintended invocation during unrelated conversations, causing the optimizer to intercept or influence tasks the user did not intend to route through this skill.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The usage examples encourage activation from broad requests like "Check this agent's quality" and "Audit this skill definition" without clearly bounding when the skill should or should not engage. In a system with automatic routing, these examples can normalize ambiguous matching and expand the skill's effective activation scope beyond safe intent.

Vague Triggers

High

Confidence: 98% confidence
Finding: The trigger list contains common words that are likely to appear in many benign requests, creating a high probability of unintended skill activation. In systems where skills can transform artifacts or influence agent behavior, overbroad activation is dangerous because it increases the chance of unauthorized or contextually wrong execution.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The usage examples normalize vague activation phrases like 'improve this skill' and 'check this agent' without clarifying that the target must be a SKILL.md definition. That ambiguity broadens the apparent authority of the skill and can lead users or routing logic to apply it to general agent behavior, codebases, or unrelated assets.

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger list includes extremely broad everyday terms such as '优化', '检查', '提升', 'skill', '技能', and 'agent', making accidental activation highly likely. Overbroad triggers can hijack unrelated conversations, causing the skill to run out of context and potentially override more appropriate agent behavior.

Vague Triggers

High

Confidence: 95% confidence
Finding: The activation rules are ambiguous and expansive, allowing the skill to auto-run on loosely defined conditions and even 'cover' general tasks unless the user opts out. This creates instruction-precedence and unintended-execution risk, where the optimizer may activate in situations the user did not intend and interfere with normal agent operation.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal