Back to skill

Security audit

Skill Forge V32 Fixed

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed skill-authoring helper, but it has real scope conflicts around editing existing skills and external SkillHub searches that users should review before installing.

Install only if you are comfortable with a skill that can write or edit skill files. Keep it to new-skill creation or evaluation unless the publisher aligns the existing-skill repair scope, and avoid using sensitive business or personal details in SkillHub search terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The README states publishing is out of scope, but elsewhere it advertises publish-related trigger phrases and a Phase 3 publish flow under this skill. This declaration-behavior mismatch can cause the agent to enter a broader execution path than users or policy expect, which is dangerous because publishing workflows often involve network pushes, credentials, and irreversible external actions.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The English guidance routes broad publishing and maintenance phrases despite earlier claiming publishing is handled by a separate skill. Contradictory routing rules create unsafe ambiguity in agent behavior, increasing the chance that a user request for update/publish actions is handled by the wrong skill and bypasses intended guardrails.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The metadata says the skill must not be used for editing existing skills, but the README advertises routes for draft refinement and improving existing skills. This mismatch expands the operational scope beyond declared intent, which can lead the agent to modify existing artifacts when users or reviewers believe such actions are prohibited.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The README explicitly includes diagnosis and fixing of existing skills, directly conflicting with the manifest prohibition on editing existing skills. In a skill system, such contradictions are security-relevant because the agent may follow the broader instruction set and perform modifications outside approved scope.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The reference explicitly includes an R5 route for improving existing skills, which conflicts with the manifest constraint that this skill must not be used for editing existing skills. That mismatch can cause the agent to perform out-of-scope modification tasks, bypassing intended separation of duties and any stronger controls in the dedicated editing/publishing flow.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The diagnosis section goes beyond analysis and instructs direct repair actions such as rewriting descriptions, narrowing scope, and executing fixes on an existing skill. In context, this undermines the declared boundary of the skill and may lead users to make unauthorized or unsafe edits through a workflow that was supposed to exclude skill modification.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrase set includes broad maintenance language such as update/iterate skill requests, which can collide with ordinary user conversations and cause unintended activation. Overbroad routing is dangerous in agentic systems because it can trigger high-impact workflows from ambiguous phrasing without strong user confirmation.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The usage section presents generic trigger wording for publishing behavior, weakening activation boundaries. Ambiguous triggers increase the chance of accidental invocation of workflows that may perform repository or distribution actions.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The English trigger guidance uses broad maintenance phrases without strong exclusions, mirroring the ambiguity in the Chinese section. This can cause unintended delegation or direct activation during ordinary support conversations, especially in multilingual environments.

External Transmission

Medium
Category
Data Exfiltration
Content
### Step 2: Search each atomic operation on SkillHub

For each step, search `https://api.skillhub.cn/api/v1/search?q=<keywords>`

### Step 3: Evaluate each step's coverage
Confidence
89% confidence
Finding
https://api.skillhub.cn/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.