天工.Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed agent-design skill that reads its own templates and can write generated skill files, with some broad routing and file-output caveats but no evidence of deception, credential access, exfiltration, or destructive behavior.

Before installing, understand that this skill is meant to generate agent/skill definitions and may create files in an output directory when you ask for a full deliverable. Review generated skills before installing or enabling them, and be careful with broad prompts like '帮我写个' if you do not intend to invoke the skill-design workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The manifest declares no required permissions or files, yet the skill instructions clearly rely on reading local files such as README.md, references/*, examples/*, and running validation against local content. This creates a trust and transparency gap: users or hosting systems may believe the skill is non-file-accessing when in practice it expects file reads as part of normal operation.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The skill is described as an agent/skill designer, but its documented behavior also includes repository inspection, YAML parsing, structural validation, conflict detection, and scanning references/examples directories. That mismatch can cause operators to authorize or invoke the skill under false assumptions, increasing the chance of unintended file inspection and broader-than-expected behavior.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The manifest claims no required files, but the instructions require reading many local files and writing outputs to disk as part of standard operation. This inconsistency undermines least-privilege controls and can lead to unauthorized or surprising access to local project content.

Vague Triggers

High

Confidence: 95% confidence
Finding: Trigger phrases like '做一个' and '帮我写个' are overly broad and can activate the skill in many unrelated conversations. Because the skill can read local files, inspect repository content, and write outputs, accidental activation materially increases the risk of unintended actions under the wrong user intent.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The automatic activation conditions still cover broad requests about prompt engineering, expert roles, and quality improvement, which overlap with ordinary advisory or writing tasks. In context, that broad routing is risky because the skill also prescribes multi-file inspection and possible output generation, so a normal conversation can escalate into a more privileged workflow than expected.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs writing final deliverables into an `output/` directory but does not clearly require prior user consent or provide a prominent warning that files will be created on disk. Silent or implicit file creation can surprise users, overwrite expected workspace state, and be abused through accidental activation.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The template explicitly requires common starter phrases like “帮我/写/生成/检查”, which are highly prevalent in ordinary chat. In a skill-routing system, this broadens activation criteria and increases the chance the skill is invoked for unrelated requests, causing unintended prompt capture or misrouting rather than precise, user-intended selection.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The quick-start patterns encourage broad self-descriptions such as “我是你的[岗位]，专治[痛点]”, which are reusable across many unrelated roles and scenarios. If such language is reused in descriptions or routing hints, it can make this skill overmatch ambiguous user prompts and crowd out more appropriate skills.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The spec directs the agent to write analysis artifacts into an `output/` directory based on user phrasing, but it does not require explicit user confirmation or a visible notice before creating/modifying files. In an agent context, implicit file writes can violate user expectations, overwrite prior artifacts, or create unintended persistence on the host workspace.

Ssd 4

Medium

Confidence: 88% confidence
Finding: The runtime exception guidance tells users they can instruct the agent to '降级处理，跳过此 Gate 继续' when checks fail. This effectively provides an operator-facing bypass path around quality and integrity gates, increasing the chance that incomplete, unverified, or conflicting outputs are produced and written despite unmet safeguards.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal