Coding Rules

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Vue3/TypeScript coding-standards skill with no executable code, hidden access, credential use, persistence, or destructive behavior found.

Install this only for repositories that actually use the described Vue3/TypeScript stack and conventions. Expect it to influence generated code style automatically for matching subprojects, and review any suggested skill-directory or symlink layout changes before applying them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill is configured to trigger for essentially any Vue3 + TypeScript subproject coding request, even when the user did not ask for standards enforcement. This creates an over-broad prompt injection surface where the skill can unexpectedly steer code generation, override user intent, or introduce rigid project-specific constraints into unrelated tasks.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: The skill description is written to enforce Chinese-language behavior across matching requests without indicating that language should follow the user's preference. While not directly enabling code execution, this can degrade reliability, cause undesired behavior, and make the skill act as an unintended policy override in multilingual environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal