Universal Command Pattern

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for a command framework, with normal caution needed when exposing developer commands through APIs or MCP.

Before installing, confirm @supernal/universal-command is the intended package and use a lockfile or pinned version. When applying the pattern, expose only intended commands through API or MCP, and add authorization, auditing, and human review for commands that create, delete, publish, or modify important data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly encourages exposing functionality to AI agents via MCP but provides no warning about authorization, data minimization, side effects, or tool abuse. In this context, a reusable command framework can make it easy to publish sensitive or high-impact operations to agent-accessible interfaces, increasing the chance of unintended data exposure or dangerous action execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal