Find Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent skill-finder, but it can steer ordinary help requests toward third-party skill installs and recommends global auto-confirmed installation.

Use this only when you explicitly want to search for or manage skills. Before installing anything it suggests, review the skill source and publisher, avoid auto-confirmed global installs, and prefer a scoped install with a clear removal or rollback path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger description is broad enough to activate on many generic help requests such as 'how do I do X' or 'can you do X,' even when the user did not ask to search for or install external skills. That increases the chance an agent will pivot into discovering or proposing third-party code unnecessarily, expanding attack surface and creating an opportunity for supply-chain or social-engineering abuse.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill recommends `npx skills add <owner/repo@skill> -g -y`, which performs immediate installation with global scope and suppresses confirmation prompts. In a skill-discovery context, this is especially risky because it encourages executing and installing third-party content from external sources without an explicit review or consent checkpoint, increasing the chance of system compromise or unwanted environment changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal