Security audit

skill-merge-and-republish

Security checks across malware telemetry and agentic risk

Overview

This looks like a purpose-aligned local skill-management workflow, but it needs review because it can remove a local skill folder without a clearly documented confirmation or backup safeguard.

Before installing, confirm that any merge or cleanup step shows the exact skill folder to be removed, requires explicit approval, and either backs it up or moves it to an archive instead of deleting it immediately.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The workflow explicitly instructs removing a local skill folder as part of the merge process, but it does not require user confirmation, a backup, or a clear warning that this is destructive. In an agentic context, deleting the wrong folder or removing a skill before the merge is validated could cause irreversible loss of local content, configuration, or history.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal