Back to skill

Security audit

Skill Forge V32 Fixed

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a skill-authoring assistant, but its instructions conflict about editing existing skills and publishing workflows, creating a real risk of out-of-scope agent behavior.

Install only if you are comfortable with a skill that can create and edit skill files. Before using it, treat publishing requests as out of scope and route them to skill-publisher, and do not use its R5 improvement path on existing installed skills unless you explicitly intend to modify them and can review the changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README states publishing is out of scope, but nearby trigger and phase descriptions say publish/update requests should be handled in the workflow. This declaration-behavior mismatch is dangerous because users or orchestrators may invoke the skill for publishing actions it is not supposed to perform, weakening boundary controls and increasing the chance of unsafe tool use or accidental release operations.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The inline usage text simultaneously says publishing belongs to skill-publisher and also lists '技能发布' as something this skill auto-triggers on. Contradictory trigger semantics can cause the wrong skill to activate for sensitive release tasks, leading to unintended publishing, confused control flow, or bypass of the intended specialized publisher skill.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The pipeline includes Phase 3 publishing actions even though the skill is described elsewhere as only covering Phases 0-2. This scope expansion in documentation is risky because agents often treat README pipeline steps as operational instructions, which could result in unauthorized or unintended publication-related actions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The English section repeats the same scope confusion by advertising publish-only triggering and publishing behavior for a skill that claims publishing is out of scope. Repeating the contradiction in another language increases the chance that multilingual users or automated parsers will invoke the wrong capability boundary.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The English usage section tells users this skill handles publish-only requests, directly conflicting with the out-of-scope statement. In skill ecosystems, trigger documentation can drive runtime routing, so this inconsistency can misroute sensitive release flows and undermine security review expectations.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The English pipeline explicitly documents Phase 3 publish execution despite the declared Phase 0-2 responsibility. This can cause operators or autonomous agents to treat publishing as an approved step of this skill, broadening its effective permissions and increasing the likelihood of accidental release actions.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The reference explicitly includes a workflow for diagnosing and improving existing skills, which conflicts with the skill metadata stating it must not be used for editing existing skills. That mismatch can cause the agent to perform out-of-scope modifications users were supposed to route elsewhere, weakening guardrails and increasing the chance of unauthorized or unsafe skill changes.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The entry-routing table directs the agent to handle requests to improve an existing skill even though the skill description says not to use it for editing existing skills. This creates a policy contradiction at the point of request classification, making it likely the agent will accept prohibited requests and bypass intended separation of duties.

Vague Triggers

Medium
Confidence
79% confidence
Finding
Broad trigger phrases around publishing and updating can overlap with common maintenance or release-related requests. Overbroad triggers are dangerous in an agent skill because they can cause unintended activation on sensitive workflows, especially when the skill’s own scope is already inconsistently documented.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The usage section presents a broad trigger without clarifying exclusions or handoff behavior, which increases the chance of accidental invocation in adjacent scenarios. In a skill that can create or evaluate other skills, ambiguous activation can lead to execution in the wrong context and unsafe operations being proposed or initiated.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The file hard-codes the interview flow in Chinese and gives no language selection or fallback, which can exclude users, cause misunderstanding of requirements, and lead to incorrect skill behavior. In a requirements-gathering phase, language mismatch directly increases the chance of collecting wrong intent, triggers, or boundaries.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The adaptation logic relies on Chinese-specific cues and labels, which can misclassify user proficiency or force Chinese interaction patterns on users who are communicating in another language. Because this logic governs questioning style and comprehension checks, it can degrade interview accuracy and produce unsuitable outputs.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The confirmation gate uses a fixed Chinese template with no opt-in, which can prevent users from validating the summary accurately if they do not read Chinese. Since this gate is the final alignment checkpoint before implementation, misunderstanding here can propagate into incorrectly built skills or unsafe scope assumptions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manifest description activates on very broad cues like meeting notes or requests to extract action items, without explicit exclusions or tighter scope boundaries. This can cause the skill to trigger on ordinary conversation or mixed-purpose inputs, leading to unintended handling of user content and reducing routing reliability.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.