Back to skill

Security audit

Wjs Auditing Project

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed project-audit skill that inspects repo, GitHub, build, release, and app-log state, then requires confirmation before making changes.

Install this only if you intentionally want an agent to audit the current project. Before invoking it, confirm you are in the right repository and signed into the intended GitHub account, then review the checklist before approving any push, merge, tag, release, stash, or branch action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation rule mixes concrete examples with a catch-all condition like 'holistic state-of-the-project check,' making activation boundaries unclear. Ambiguous scope selection is risky because this skill performs a wide, multi-source investigation that can pull sensitive operational and development metadata without a sufficiently explicit user request.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation rule mixes concrete examples with a catch-all condition like 'holistic state-of-the-project check,' making activation boundaries unclear. Ambiguous scope selection is risky because this skill performs a wide, multi-source investigation that can pull sensitive operational and development metadata without a sufficiently explicit user request.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.