Security audit

OpenSpec Dev Flow (CN)

Security checks across malware telemetry and agentic risk

Overview

This skill does not look malicious, but it needs review because it can broadly steer normal coding requests and lets confirmations be skipped before workspace-changing work.

Install only if you intentionally want an OpenSpec workflow to apply to broad coding tasks. Review or narrow the trigger rules, remove blanket confirmation bypasses, and require explicit confirmation before creating files or implementing changes in important repositories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Intent-Code Divergence

Low

Confidence: 95% confidence
Finding: The skill establishes confirmation as a core safety/control mechanism, then undermines it by allowing the user to bypass all confirmations with phrases like '直接搞' or '不用确认'. In an agent skill that can create files and implement changes, this weakens change-control safeguards and increases the chance of unintended or socially engineered destructive actions.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger conditions are defined so broadly that the skill may activate for a large share of normal development requests, even when the user did not explicitly ask for this workflow. In an agent setting, overbroad activation can unexpectedly steer execution, create files, or change process behavior, which increases the risk of unwanted actions and prompt-scope confusion.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: The workflow allows a language-specific override phrase ("直接搞" or "不用确认") to bypass the normal confirmation gate. This creates an inconsistent control surface where users speaking or matching that phrase get reduced safeguards without a structured opt-in policy, making accidental or socially engineered bypasses more likely.

Vague Triggers

High

Confidence: 96% confidence
Finding: The trigger condition is extremely broad: it applies to essentially any request to create, develop, implement, refactor, or fix something. In practice this can cause the skill to activate on ordinary development requests and steer the agent into file-creation and workflow execution unexpectedly, expanding the blast radius of prompt injection or accidental invocation.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Allowing a single informal phrase to skip confirmations is dangerous because this skill's next steps include creating proposals, specs, tasks, and potentially implementing changes. That makes social engineering and accidental triggering easier: a user or injected instruction can collapse a staged review process into immediate write actions without clear consent boundaries.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal