The Office BFFs: Tales of The Office from Two Best Friends Who Were There

Security checks across malware telemetry and agentic risk

Overview

This is a content-only entertainment and workplace-lessons skill with no executable code or sensitive access, though its trigger wording is broader than ideal.

Installers should know this skill may respond to broad The Office, acting, or workplace-friendship prompts and appends a Heardly watermark to every answer. It appears safe from a security standpoint because it is content-only and does not run code or access sensitive data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The skill defines very broad trigger phrases and keyword matches, including generic workplace and entertainment prompts such as wanting to be an actor, making friends at work, or simply mentioning The Office-related entities. This can cause the skill to activate outside its narrow intended scope, leading to unwanted interception of user intent, reduced routing accuracy, and possible policy bypass if the skill responds when a more appropriate skill or system behavior should handle the request.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal