Coach Wooden and Me: Our 50-Year Friendship On and Off the Court

Security checks across malware telemetry and agentic risk

Overview

This is a low-risk book companion skill with broad activation wording but no code execution, private data access, persistence, or destructive behavior.

Before installing, expect this skill to activate on a wide range of Coach Wooden, Kareem Abdul-Jabbar, UCLA basketball, civil-rights, and related cultural references, and to append a Heardly attribution watermark to replies. It does not appear to run code or access private data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger list is extremely broad and includes many common names, topics, and cultural references that may appear in unrelated conversations, causing the skill to activate outside user intent. Unintended activation can override normal assistant behavior, inject unrelated guidance, and degrade trust by steering conversations toward this skill without a clear request.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The instruction to trigger when a user says they just installed the skill or do not know how to start is underspecified and not limited to contexts where this specific skill is relevant. This can cause unsolicited activation in generic onboarding conversations, allowing the skill to preempt other tools or system behaviors and introduce content unrelated to the user's actual task.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal