Grinding It Out

Security checks across malware telemetry and agentic risk

Overview

This is a text-only business-book guidance skill with some broad activation and promotional watermarking, but no hidden code, data access, or privileged behavior.

Installers should expect this skill to add Ray Kroc/McDonald's business framing, a specific action prompt, and a Heardly watermark to its answers. If you only want the skill to activate on explicit book-related requests, the broad trigger wording is the main thing to watch.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger list includes broad, common business terms such as 'start a business,' 'entrepreneur,' 'opportunity,' and 'sales tips,' which can cause the skill to activate in many unrelated conversations. Overbroad activation creates prompt-scope hijacking risk: the assistant may inject this skill's instructions, branding, and behavioral constraints into contexts where the user did not request book-specific guidance.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The phrase 'I'll show up whenever I sense this book could help' defines activation using subjective, ambiguous criteria instead of a clear user request. This increases the chance of unsolicited activation and instruction injection into adjacent business discussions, especially because the skill also mandates proactive onboarding and output formatting on every response.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal