Back to skill

Security audit

Systematic Debugging

Security checks across malware telemetry and agentic risk

Overview

This is a coherent debugging guide, but it includes broad, forceful instructions and diagnostic examples that can expose environment values and macOS keychain signing identity metadata in logs.

Review before installing. If used, treat its diagnostic commands as examples to adapt, not commands to run verbatim: redact environment values, avoid dumping keychain or signing identity details into shared logs, and require explicit approval before running credential- or identity-related diagnostics.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description is broad enough to trigger on almost any bug or unexpected behavior, which can cause the agent to over-apply this skill in routine contexts. Overly broad activation increases the chance that embedded instructions or workflows in the skill will influence unrelated tasks, expanding attack surface and creating prompt-routing risk.

Credential Access

High
Category
Privilege Escalation
Content
env | grep IDENTITY || echo "IDENTITY not in environment"

   # Layer 3: Signing script
   echo "=== Keychain state: ==="
   security list-keychains
   security find-identity -v
Confidence
80% confidence
Finding
Keychain

Credential Access

High
Category
Privilege Escalation
Content
# Layer 3: Signing script
   echo "=== Keychain state: ==="
   security list-keychains
   security find-identity -v

   # Layer 4: Actual signing
Confidence
81% confidence
Finding
keychain

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.