Skill Assessment

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill assessment guide with no executable files, network behavior, or hidden persistence, though its claimed functionality appears incomplete.

This appears safe to install from a security perspective, but it is likely nonfunctional as published because the artifact only includes SKILL.md and skill.json while the documentation references missing assessment scripts, templates, and report files. Use it as guidance unless a later version includes the actual implementation, and avoid running broad local scans unless you intentionally want all local skills inspected.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger section is broad and describes common user intents such as wanting to understand a skill’s quality or compare skills, without clear activation boundaries or constrained invocation phrases. In agent environments, overly generic trigger descriptions can cause unintended activation during ordinary conversation, leading to confusing tool invocation, unnecessary file access, or analysis of directories the user did not explicitly intend to scan.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal