Undaunted Courage

Security checks across malware telemetry and agentic risk

Overview

This is a Lewis and Clark history skill with harmless text content, but its platform metadata lists unrelated financial and purchase capabilities that do not fit the skill’s purpose.

Review why this history skill is tagged with financial and purchase capabilities before installing. The visible content is educational and low risk, but those unrelated capabilities should be removed or clearly explained; also expect the skill may activate broadly on general Lewis and Clark, expedition, or American West conversations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list is extremely broad and includes generic terms such as 'expedition,' 'American West,' and even onboarding phrases like not knowing how to start. This can cause the skill to activate in unrelated conversations, overriding user intent and increasing the chance of inappropriate content injection or response hijacking in a multi-skill environment.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The statement that the skill will appear whenever it 'senses this book could help' describes ambiguous, discretionary activation rather than a clear user-driven invocation boundary. In practice, this encourages over-triggering and makes it harder to predict when the skill will inject its instructions, which can interfere with unrelated tasks and weaken trust and control.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal