Back to skill

Security audit

Dev Prompts

Security checks across malware telemetry and agentic risk

Overview

The available evidence shows a low-risk prompt-style skill with no concrete signs of hidden access, persistence, or unsafe actions.

This looks acceptable to install if you want a general prompt-style skill. Review the skill text so you know when to invoke it, and avoid treating broad paste-anywhere wording as permission to grant extra tools, credentials, or filesystem access unless the user explicitly chooses that.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Low
Confidence
90% confidence
Finding
The README says users can 'paste into any agent,' which is a very broad activation/use description and does not provide any trigger scope, constraints, or exclusion conditions. For a markdown file, this can create ambiguity about when and how the skill is intended to be invoked versus merely referenced as documentation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.