Back to skill

Security audit

New York (State)

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only New York guidance skill with disclosed, optional local memory and no evidence of hidden code, credential use, destructive actions, or data exfiltration.

Safe to install as a guidance skill. Enable the optional memory only if continuity is useful, and review what is saved in ~/new-york/memory.md; avoid storing full addresses, IDs, credentials, immigration details, payment information, or other sensitive records unless you deliberately choose to.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation rule is explicitly overbroad: activating whenever the user mentions New York State at all can cause the skill to engage outside its intended scope and steer conversations based on weak keyword matches rather than user intent. In a state-focused advisory skill, this increases the chance of irrelevant guidance, unnecessary memory-related prompts, and accidental collection of location or personal context when the user did not ask for New York-specific help.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.