Back to skill

Security audit

Agent Security Framework

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it gives an agent broad autonomous work-claiming, status-posting, board-polling, and persistence instructions beyond a normal security-hardening skill.

Install only if you intentionally want this skill to participate in Mission Control/Scrum operations, post coordination updates, and keep workspace memory. Review SOUL.md first, remove or gate the autonomous story-claiming, heartbeat command, channel announcements, and persistence instructions if you only need security scanning and hardening guidance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This section gives the skill broad team-orchestration and sprint-execution behavior that goes well beyond the declared security framework purpose. In an agent setting, this scope expansion can cause the skill to drive unrelated operational actions, task claiming, and workflow control, increasing the chance of unauthorized or unexpected behavior.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The instructions explicitly direct the agent to self-assign work, claim the top story, and execute it without asking. That creates autonomous operational authority unrelated to the stated security role, which is dangerous because a user or scheduler could trigger broader actions than intended without meaningful approval boundaries.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
Mandatory routine status posting and channel announcements create an external communication behavior that is not necessary for a security-hardening skill. Even if intended for coordination, it can cause information leakage, spam, or unintended actions on messaging surfaces when the skill is invoked in the wrong context.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The heartbeat protocol instructs the agent to run local shell commands and poll Mission Control as a first step on every heartbeat. This expands the skill from security analysis into repeated operational command execution and board surveillance, which can produce unauthorized access patterns or side effects not justified by the skill's stated purpose.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The identity and vibe sections redefine the agent as a general orchestration leader for all agent work rather than a security-focused tool. This kind of persona-driven scope drift is risky because it influences downstream behavior across many situations, encouraging broad coordination and intervention outside the declared security domain.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.