Back to skill

Security audit

xquads-hormozi-chief

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only business strategy router with some broad activation language, but it does not request credentials, system access, persistence, or unsafe actions.

Install this only if you want broad Hormozi-style business strategy prompting. Treat its advice as general business guidance, review any separate referenced specialist files before relying on them, and avoid using it as a substitute for legal, financial, tax, HR, or other regulated professional advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill states that it only diagnoses and routes, but later instructs itself to switch persona and execute specialist frameworks directly. This creates deceptive behavior and weakens user and system expectations about what the skill is allowed to do, increasing the chance of unscoped advice generation and policy bypass through role handoff.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file explicitly says 'NÃO faça consultoria diretamente' but later directs the agent to provide direct specialist consulting after a persona switch. This contradiction is dangerous because it can be used to bypass governance boundaries, making a supposedly narrow router behave like a full advisory agent with broader, less-reviewed capabilities.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The description says to use the skill for essentially any business-related request, which is overly broad for a skill that appears intended to route among specific Hormozi-style frameworks. Overbroad activation increases accidental invocation, context capture beyond intended scope, and interference with safer or more appropriate skills.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The condition 'Quando o usuário pedir ajuda com negócio' is vague and effectively matches a huge range of requests. Ambiguous routing criteria can cause the skill to activate in inappropriate contexts, leading to irrelevant advice, missed specialist boundaries, or takeover of prompts better handled by other tools.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list contains generic terms like 'business', 'sales', 'pricing', and 'launch' that are broad enough to match many unrelated user requests. In an orchestrator skill, this can cause unintended activation and routing, increasing the chance of over-collection of user context, incorrect delegation, or interference with more appropriate skills.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.