胡田 OPC导师项目全流程管理

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed project-archive workflow, but it also asks for broad persistent project data collection and includes privileged skill-creation/patching behavior that should be reviewed before use.

Install only if you are comfortable with it creating and maintaining local project archives, recording skill inputs/outputs, and potentially coordinating data across other OPC skills. Before using it on real client, financial, legal, or confidential business material, require explicit review before writes or syncs, redact sensitive fields, define retention/deletion rules, and disable or separately approve any skill_manage create/patch workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill is presented as a project lifecycle management capability, but it also includes logic to discover gaps and create or modify other skills. That expands authority from passive project tracking into meta-programming of the skill ecosystem, creating a privilege/scope mismatch that can be abused to introduce unsafe behavior through an otherwise routine workflow. In this context, the mismatch is more dangerous because project-management data and review loops are frequent and broad, giving many opportunities to trigger downstream changes.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The document explicitly grants this project-management skill the capability to call skill_manage(create) and skill_manage(patch) for other skills, which is a powerful code/configuration mutation capability unrelated to ordinary project tracking. If influenced by malformed project inputs, recurring 'gap' reports, or poisoned retrospective data, the skill could propagate unauthorized changes across the skill system, effectively becoming a privilege-escalation path. The surrounding context makes this especially dangerous because the skill aggregates cross-project, cross-system inputs and treats them as drivers for evolution.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly states that every skill interaction input/output will be recorded into project archives, but it provides no user-facing consent, privacy notice, retention limits, or exclusions for sensitive content. In a workflow that may process business, personal, or diligence data, this creates a real risk of over-collection and unintended persistence of confidential information.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to create directories and maintain multiple project files and overview boards on the local filesystem, but it does not warn the user that local files will be created or modified. This can lead to unexpected state changes, accidental overwrites, and silent persistence of sensitive project data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The SOP instructs operators to record all skill inputs and outputs into project archives, but provides no guidance on filtering, minimizing, or protecting sensitive information. In a project lifecycle workflow, those inputs/outputs may contain client data, business plans, due diligence materials, contracts, or other confidential information, creating a realistic risk of unnecessary retention, overexposure, or downstream unauthorized access.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill describes synchronizing customer contact information, customer资料, project summaries, and documents across multiple systems, but does not define consent, minimization, access control, retention, or operator warnings. That creates a real risk of over-sharing sensitive business and personal data between connected skills and knowledge bases, especially because this skill acts as the central hub for lifecycle data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document introduces automated creation and patching of skills without any explicit warning about change risk, review requirements, or blast radius. In practice, this normalizes unsafe self-modifying behavior and increases the chance that routine operational data will trigger high-impact ecosystem changes without adequate scrutiny.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document specifies broad bidirectional data flows, automatic project archival, customer/contact storage, and knowledge-base output, but it does not require consent, data minimization, classification, or access-control checks before sharing data across systems. Because the skill manages full project lifecycle records including customer contacts, financial data, feedback, and internal knowledge, missing privacy and disclosure controls materially increase the risk of unauthorized data propagation and secondary use.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill describes creating or patching other skills through skill_manage after approval, but it does not define any safety review, scope restriction, dry-run requirement, rollback, or operator-facing warning for these privileged changes. This is dangerous because a project-management skill that can mutate other skills becomes a control-plane component; mistakes or abuse could silently alter prompts, permissions, or behavior across the wider agent ecosystem.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The skill mandates comprehensive recording of each interaction into persistent archives without any minimization boundaries, sensitivity classification, or exception handling. Because this skill coordinates full project lifecycles and due diligence, the archived content could include confidential strategy, stakeholder details, and commercially sensitive materials beyond what is necessary for operation.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The stage workflow repeatedly directs recording input data, execution logs, and outputs into project archives as a standard step, creating systematic retention of potentially sensitive user and project information. Without controls on scope, masking, access, or retention, this broad logging increases exposure in case of local compromise, mis-sharing, or later unintended reuse.

Ssd 3

Medium

Confidence: 89% confidence
Finding: The initialization process instructs the system to extract and migrate data from existing files into new archives, which can widen exposure of legacy sensitive information and duplicate data across locations. This is especially risky because prior files may contain material that was never intended for centralized archival or long-term retention.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal