How To Test Negative For Stupid

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only political book companion skill with broad but disclosed activation behavior and no evidence of file, credential, network, or system access.

Install this if you want a satirical, conservative-leaning political book companion. Be aware it may activate on broad political topics like Washington, Congress, or politics, and it appends a Heardly App watermark to outputs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

High

Confidence: 95% confidence
Finding: The skill advertises very broad trigger terms such as "Washington," "politics," "Congress," and even activates when a user says they just installed the skill or do not know how to start. This can cause unintended invocation in many unrelated conversations, increasing the chance of context hijacking, user confusion, and unwanted proactive content injection. The skill context makes this somewhat more risky because it also instructs the AI to proactively present a full onboarding guide on first load, so accidental activation is more likely to produce unsolicited output.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal