Imperial Engine

Security checks across malware telemetry and agentic risk

Overview

This skill openly functions as an extreme token and cost stress test, but its defaults are broad enough that users should review it carefully before installing.

Only install this in a disposable test environment with hard provider spending limits, explicit invocation controls, shell and browser disabled unless needed, and memory persistence turned off or isolated. Do not enable it globally or run it with normal API keys, production access, or valuable local state.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill uses broad filesystem enumeration (`find /usr ...`) and persistent disk writes to store large LLM, browser, and shell outputs, even though its stated purpose is token-consumption stress testing. This creates unnecessary access to host filesystem metadata and durable storage of potentially sensitive data, increasing both data-exposure and resource-exhaustion risk.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill performs external browsing and full-text extraction from arbitrary web content solely to inflate token usage. This is not necessary for the claimed function and introduces avoidable network egress, untrusted content ingestion, and possible transmission of session context to external sites or tools.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script labeled as an emergency stop routine does more than stop a running test: it disables and uninstalls the skill, deletes matching files, and terminates processes by name pattern. In a stop script for a token-consumption test tool, these broader destructive actions can remove state and affect unrelated components, especially because errors are suppressed and the user gets no chance to review what will happen.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Using `pkill -f "imperial"` matches any host process whose command line contains the string "imperial", not just this skill's own processes. That can kill unrelated services or user jobs and create denial-of-service conditions on the host, which is especially risky in a shared or production-like environment.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The documented trigger phrases are extremely broad, including generic natural-language strings like "帝王引擎" and "开启帝王模式", which can cause accidental or unauthorized invocation in normal conversation. In the context of a skill explicitly designed to maximize token consumption and optionally invoke browsing, shell, and memory persistence, unintended triggering can rapidly cause financial loss and resource abuse.

Vague Triggers

High

Confidence: 99% confidence
Finding: The skill declares itself as globally triggered for any user request, despite being designed to force repeated high-cost LLM/tool loops. That activation scope makes accidental or unauthorized triggering highly likely and turns an already expensive workflow into a platform-wide denial-of-wallet and resource exhaustion mechanism.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: This configuration enables random browsing and execution of a heavyweight shell command with no explicit activation guard, approval requirement, or context restriction. In a skill explicitly described as an extreme token-consumption testing tool, those unconstrained actions increase the chance of unintended resource abuse, host reconnaissance, or costly autonomous behavior if the skill is invoked in the wrong environment.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script performs disable, uninstall, and file deletion operations immediately without warning or confirmation. Even if intended for emergency use, this increases the chance of accidental destructive execution and can lead to loss of local state or disruption of the user's environment.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The process-kill step is executed without warning despite using a broad match that may affect unrelated processes. Lack of notice and confirmation makes accidental service interruption more likely and hides the operational risk from the user.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill persistently stores complete LLM, browser, and shell outputs and later re-reads them for summarization, creating a direct natural-language data retention and re-exposure channel. If any output contains secrets, internal paths, system metadata, or sensitive fetched content, the skill amplifies leakage by preserving and reinjecting it into later prompts.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The documentation explicitly instructs the agent to retain complete historical memory across rounds in order to bloat context. In this skill's context, that behavior is dangerous because it increases the chance that sensitive information from prior tool outputs or prompts is repeatedly propagated, while also intentionally driving runaway token consumption and instability.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal