Back to skill

Security audit

Deep Research Agent

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only research helper whose web search, subagent use, and report writing are disclosed and aligned with its purpose.

Install it if you want an agent to perform structured web research and produce reports. Prefer a scoped install target if you do not want generic questions routed through it, and avoid using it with sensitive internal information unless web search and subagent processing are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README advertises very broad trigger phrases such as "what is," "tell me about," "analyze," and "compare," which are common in ordinary user requests and not tightly scoped to explicit research-mode invocation. In environments that auto-select skills from descriptions or examples, this can cause the research agent to activate unexpectedly, leading to over-broad data gathering, unintended tool use, or interference with other skills handling normal conversational queries.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list is extremely broad, including common phrases like "what is", "tell me about", "analyze", and "compare", which can match many ordinary user requests and cause this skill to activate unintentionally. In an agent system, over-invocation can lead to unnecessary web access, subagent spawning, extra cost, and unintended data flow into a more powerful research workflow even when the user did not explicitly request deep research.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The package description advertises a very broad set of triggers such as 'what is', 'tell me about', 'analyze', and 'compare', which are common in ordinary user requests and can cause this skill to activate far outside a narrowly intended research scope. In an agent ecosystem, overly broad trigger language can lead to unintended invocation, excessive data access or tool use, and routing of user queries to a more powerful analysis skill than necessary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.