Security audit

Propmt Archeologist

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local skill manager that can propose durable skill-file changes, but it repeatedly requires user approval before writing or installing anything.

Install only if you want an agent to proactively notice reusable workflow patterns and propose local skill changes. Review every proposed diff carefully before approving, because accepted changes can influence future agent behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill contains very broad auto-trigger criteria such as 'always trigger' on generic phrases like 'what did I just do?' and 'save this workflow,' even when the word 'prompt' is not used. This can cause unintended invocation, leading the agent to activate the skill in unrelated contexts, override more appropriate skills, or process sensitive conversation history unnecessarily.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal