Security audit

Agent Estimation

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a focused estimation aid, with no artifact-backed evidence of harmful behavior.

Before installing, understand that the skill may influence how your agent answers planning and scoping requests. If you only want it used explicitly, invoke it by name or adjust the trigger wording locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The README says the skill activates automatically when the user asks an agent to "estimate, scope, or plan work," which are broad phrases that overlap with ordinary conversation. It does not provide tighter trigger boundaries, exclusions, or negative examples to clarify when the skill should and should not activate.

Session Persistence

Medium

Category: Rogue Agent
Content: ## The Solution This skill forces the agent to think in **rounds** (one tool-call cycle: think → write code → execute → verify → fix), estimate round counts per module, apply risk coefficients, and only convert to human wallclock time at the very end. ## Installation
Confidence: 60% confidence
Finding: write code → execute → verify → fix), estimate round counts per module, apply risk coefficients, and only convert to human wallclock time at the very end. ## Installation ### Using `npx skills` (Rec

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal