Security audit

hello-skills

Security checks across malware telemetry and agentic risk

Overview

This skill appears safe from a security standpoint, but it does not actually perform the trading analysis its description suggests.

Install only if you want a simple demo-style skill that echoes parameters into a response. Do not rely on it for real trading, quantitative analysis, or signal generation unless the publisher adds actual analysis logic and clearer documentation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The manifest description "hello-skills skill" is too generic to communicate the skill's purpose, scope, or safe invocation conditions. In agent ecosystems, vague descriptions can cause incorrect routing or unexpected invocation in unrelated contexts, which increases the chance of misuse or unintended execution of whatever behavior is implemented in the skill.

VirusTotal

48/48 vendors flagged this skill as clean.

View on VirusTotal