Eats, Shoots & Leaves

Security checks across malware telemetry and agentic risk

Overview

This is a text-only punctuation and writing-reference skill with no executable code, but its activation wording and mandatory branding may be intrusive in unrelated writing conversations.

Installers should expect a strongly opinionated punctuation helper that may activate on broad writing or grammar prompts and append Heardly branding to responses. There is no evidence of code execution, data access, persistence, or malicious behavior in the supplied artifacts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger logic is genuinely overbroad because it activates on generic terms like "writing," "grammar," "commas," and even when a user says they just installed the skill or does not know how to start. In a shared assistant environment, this can cause the skill to hijack unrelated conversations, inject unsolicited formatting requirements, and override more appropriate skills or baseline behavior, creating a prompt-scope and routing integrity issue rather than a code-execution flaw.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal