Metrics

Security checks across malware telemetry and agentic risk

Overview

This metrics skill is documentation-only and keeps disclosed metric memory locally, with no evidence of hidden execution or data sending.

Safe to install for metrics and reporting help. Enable memory only if you want metric definitions, owners, formulas, reporting cadence, alerts, and decisions retained locally, and review or delete ~/metrics/ if it contains sensitive or outdated business context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The setup instructs the skill to activate whenever broad topics like KPIs, dashboards, formulas, tracking, or reporting are discussed, which can cause the skill to trigger outside the user's clear intent. Over-broad activation increases the chance of unsolicited guidance, unnecessary context collection, and accidental persistence behavior in conversations that only loosely relate to metrics.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs creation and updating of `~/metrics/memory.md` when memory is enabled, but it does not require clear disclosure at the moment of write or explicit consent for file creation and persistence. This can lead to silent storage of user-related operational details, creating privacy and transparency risks even if the content is intended to exclude secrets.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal