One Man Conglomerate

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent project-orchestration helper, but it asks agents to automatically clean/archive project files and update knowledge memory without clear user controls.

Review this skill carefully before installing. Use it only in workspaces where file cleanup and archiving are acceptable, and require the agent to show a proposed action list and get explicit confirmation before deleting, moving, archiving, or saving project knowledge.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrase “整理一下这个项目” is broad, conversational, and likely to overlap with ordinary user speech. In a skill that advertises automatic cleanup and archiving, such a vague trigger can cause unintended destructive or state-changing actions without clear user intent or confirmation.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill explicitly describes automatic cleanup of temporary files, project archiving, and knowledge/memory updates, but provides no warning, scoping, rollback, or confirmation requirements. In an orchestration skill that may coordinate multiple agents and project artifacts, this can lead to accidental deletion, unintended modification of user data, or persistent contamination of memory/state.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal