Security audit

Prompt Library Gardener

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a prompt-only organizer, but its examples contradict its own limits by presenting external imports, live model testing, and metadata-based archiving as expected behavior.

Review before installing. The main workflow is safe if you only paste or upload prompt text you choose to share, but the examples should be revised so the skill never implies it can import from private apps, inspect chat history, run live model tests, or use usage metrics unless the user explicitly provides that data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The usage scenario tells the assistant to import prompts from Notes, Notion, and chat history, which directly conflicts with the skill's earlier boundary that it must only use prompts explicitly provided in-conversation and must not search local or external sources. In practice, this kind of contradictory instruction can cause an agent to overreach into private data sources or mislead users into thinking such access is allowed, increasing the risk of unauthorized data collection and privacy violations.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: This scenario claims the skill can test prompts against current models and produce a regression report, but the skill elsewhere says it cannot call APIs, execute code, or connect to prompt tools. Such capability inflation is dangerous because it may induce an agent or user to attempt external model execution, benchmarking, or automated evaluation beyond the approved trust boundary, potentially causing unauthorized tool use, data exposure, or false assurance about testing results.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The scenario implies the skill can archive prompts using usage metadata such as last-used date and success rate, even though the skill is defined as a prompt-only workflow operating from prompt text and user-provided context. This mismatch can lead users or downstream agents to assume hidden telemetry, repository access, or record-keeping exists when it does not, creating pressure to access external systems or fabricate archive decisions from unavailable data.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The example scenarios present importing from external apps and testing prompts against live models as normal expected behavior without clearly warning that these actions violate the skill's own stated boundaries. In instruction-driven systems, examples often carry strong normative weight, so these scenarios can override safer constraints in practice and encourage unauthorized access or tool use.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.