Publish Checklist

Security checks across malware telemetry and agentic risk

Overview

This is a simple pre-publication checklist with broad workflow guidance but no code, credentials, persistence, or data access.

Install this if you want a strict checklist before public-facing work. Be aware it may trigger broadly for PRs, issues, posts, and emails, and it may encourage bilingual PR/Issue text even where your project does not require it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill description is extremely broad, covering essentially any public release action such as posting, emailing, filing PRs/issues, or publishing skills. In an agent system, this can cause the skill to be auto-invoked in many unrelated contexts, increasing prompt-surface area and making the checklist's behavioral requirements influence outputs unexpectedly.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The instruction to always use bilingual Chinese/English for PRs and Issues imposes an output policy without user opt-in. This can override user intent, leak language preferences into contexts where they are unnecessary, and create unwanted or noncompliant disclosures in automated publishing workflows.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal