Godot Dev Guide

Security checks across malware telemetry and agentic risk

Overview

This is a Godot development reference skill with broad auto-activation triggers, but no evidence of hidden execution, data access, persistence, or malicious behavior.

Safe to install as a Godot reference skill. Be aware it may auto-activate on broad words like "scene" or "node"; disable or narrow it if that becomes distracting. Review Godot CLI snippets before running them, especially export commands that write build artifacts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill is configured with autoInvoke enabled, high priority, and broad triggers such as 'godot', 'scene', 'node', and common engine class names. This can cause the skill to activate on many routine Godot-related conversations, increasing the chance of unintended instruction injection, context pollution, or the model following skill guidance when it was not explicitly requested.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The report explicitly approves high-priority auto-invoke triggers including very broad terms such as `scene` and `node` without discussing false positives, scope control, or unintended activation. In an agent skill system, overly broad triggers can cause the skill to activate in unrelated contexts, exposing unnecessary instructions or influencing behavior where the user did not intend Godot-specific guidance.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill is configured with autoInvoke=true and a high priority while using several generic triggers such as "scene", "node", and common Godot class names. This can cause the skill to activate in conversations that only loosely reference related concepts, increasing prompt-surface exposure and potentially overriding more appropriate skills or polluting responses with irrelevant guidance.

Vague Triggers

Low

Confidence: 80% confidence
Finding: The trigger phrase "godot" by itself is broad enough to match casual references, comparisons, or non-technical mentions of the engine. In an auto-invoked high-priority skill, this can lead to unnecessary activation and context injection, though the impact is limited because the term is still reasonably domain-specific.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal