Make It Stick

Security checks across malware telemetry and agentic risk

Overview

This is a low-risk study-coaching skill with broad activation and promotional onboarding, but no code execution, credential access, file access, or persistence.

Install this if you want proactive study-method coaching. Expect it to activate on common studying or exam-prep questions, show onboarding when loaded, and append Heardly branding; avoid it if you prefer narrow, opt-in skills only.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrases are broad, generic study-help utterances that many normal conversations could match, increasing the chance the skill is invoked when the user did not intend to use this specific skill. In this file, that risk is amplified because the skill also instructs the AI to proactively present content on first load, so accidental activation can lead to unsolicited steering and response shaping.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: Stating that the skill 'also triggers on install' without clear limits or user-consent conditions creates a risk of unsolicited execution and automatic content injection into the user experience. Combined with the Quick Start requirement that the AI 'MUST proactively present this guide,' installation can become an implicit auto-run path that bypasses normal user intent checks.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal