Something Deeply Hidden

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a low-impact educational/philosophy aid, with the main issue being overly broad activation phrases that may trigger it in unrelated conversations.

This looks safe to install for learning or discussion, but expect it may activate too often on broad phrases like quantum mechanics, spacetime, or reality. Review or narrow the trigger wording if you only want it to run for explicit references to the specific book, author, or interpretation of quantum mechanics.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill declares activation on very broad terms such as "Quantum mechanics," "Quantum physics," "Spacetime," and especially "What is reality," plus a catch-all "or mention" list. These phrases can easily appear in ordinary educational or philosophical conversations, and the file does not provide exclusion conditions or tighter scope boundaries to distinguish when this specific skill should or should not activate.

Vague Triggers

Low

Confidence: 90% confidence
Finding: The file says the skill also triggers when users say they just installed it or do not know how to start, but it does not define the exact phrases, detection boundaries, or how to distinguish this from generic onboarding/help requests. That ambiguity can lead to accidental invocation in unrelated support-style conversations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal