Back to skill

Security audit

reasoning-scaffold

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed reasoning template that may activate broadly, but it does not request sensitive access or perform unsafe actions.

Install this if you want broad automatic decision-analysis scaffolding. Expect it to sometimes add a structured six-step format to ordinary analysis questions; avoid relying on the referenced manual script unless the missing script files are supplied in a later version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

High
Confidence
93% confidence
Finding
The auto-activation keywords are extremely broad and include common words such as '如何', '是否', '分析', and '怎么样', which can cause the skill to trigger on ordinary conversations far outside intended decision-support use cases. Unintended invocation can override expected agent behavior, inject unsolicited reasoning scaffolds into unrelated tasks, and increase prompt-routing confusion or policy bypass opportunities when combined with other skills.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation logic says reasoning-type questions should directly output the framework, while 'non-reasoning' questions should skip it, but it never defines a reliable boundary between those categories. This ambiguity creates inconsistent routing behavior and makes it easier for the skill to activate unexpectedly, which can interfere with other instructions, produce irrelevant structured outputs, and weaken predictability of the agent's control flow.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.