Projects

Security checks across malware telemetry and agentic risk

Overview

This skill is a local project organizer whose main risk is creating or updating files under ~/projects if used too casually.

Install this only if you want your agent to maintain project files under ~/projects/. Confirm before creating, deleting, or archiving folders, and avoid storing secrets or sensitive client details in plain notes unless your local storage is protected.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The activation rule 'User mentions a project → help define scope, create folder' is overly broad and can trigger on casual references to projects rather than an explicit request to use this skill. In a tool-using agent, that increases the chance of unintended filesystem actions and context capture without clear user consent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs creation of '~/projects/' in the user's home directory but does not clearly warn that it will modify the local filesystem or request consent first. This can lead to unexpected writes, clutter, privacy issues, or accidental creation in sensitive environments where home-directory modification is undesirable.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal