Elcano Superpowers

Security checks across malware telemetry and agentic risk

Overview

This is a coherent coding-workflow skill, but it includes unscoped shipping actions like git push and PM2 restarts without a clear final approval step.

Review this skill before use if your projects have shared branches, production PM2 processes, or sensitive code. Require the agent to pause for explicit approval before commits, pushes, PM2 restarts, notifications, screenshots, or git checkout, and limit sub-agent context to files needed for the task.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs impactful actions such as `git push`, PM2 restarts, and multi-file repository changes, but it does not require explicit user confirmation or safety checks immediately before those operations. In an agent setting, this increases the risk of unauthorized deployment, production disruption, or irreversible repository changes if the workflow is triggered in the wrong context or on an ambiguous request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal