Back to skill

Security audit

Research Harness

Security checks across malware telemetry and agentic risk

Overview

This is a public-market research workflow skill that uses disclosed local notes, checkpoints, and archives; it has privacy and auto-triggering tradeoffs but no artifact-backed malicious behavior.

Install only in a workspace where you are comfortable storing research targets, notes, checkpoints, and full outputs on disk. Avoid using it with confidential client data or shared directories unless you configure a private workspace and review files such as .task-pulse, .checkpoint, active-tasks.md, biases.md, and output archives.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (26)

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The initialization flow directs creation of persistent workspace files containing personal role, coverage scope, tracked securities, and behavioral notes, but the menu-oriented skill description does not clearly scope or justify this storage. In an agent environment, silent persistence expands data retention and can surprise users, especially when the files may later influence behavior across sessions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The postamble mandates writing checkpoints and updating task-state files on every output segment, which expands the skill from research generation into persistent workspace mutation. That creates unintended side effects, can overwrite local state, and may persist sensitive task content without explicit user consent or clear necessity for the advertised function.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
Requiring every output to be archived to filesystem paths introduces mandatory data persistence beyond the manifest's stated research role. This can store sensitive research prompts, proprietary analysis, or user data in local files without consent, increasing retention and disclosure risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill requires modification of active task-tracking files unrelated to producing research output, creating hidden side effects in the workspace. Such behavior can alter project state, mislead future automation, and persist user activity in ways the user may not expect.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly requires reading a user-specific `biases.md` file even though the manifest describes a red-team research function, not access to personal user profile data. This creates unnecessary data access scope and can expose sensitive preferences or internal notes beyond what is needed for the task, especially because it is framed as mandatory rather than optional and consent-based.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The resume trigger includes highly ambiguous natural-language phrases like β€œζŽ₯η€δΈŠζ¬‘ηš„β€, which can overlap with ordinary conversation and cause the agent to resume a prior in-progress task without sufficiently explicit user intent. In a research harness that persists state across sessions, this can lead to unintended loading of prior context, continuation of stale work, or execution of file/state operations tied to the wrong task.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented resume flow instructs the agent to automatically delete the checkpoint and update task state after completion, but does not require a prominent user-facing confirmation before destructive state changes occur. This is risky because a mistaken resume, misidentified task, or partial completion could silently erase recovery data and alter workflow state, reducing auditability and making rollback harder.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The user-facing continuation flow again specifies automatic deletion of `.checkpoint/t-001.md` once the run finishes, without making that destructive action prominent to the user at the moment of use. Because this skill is designed for long-running research tasks with cross-session persistence, silent deletion can destroy the only resumable state and obscure whether the final output fully captured all intermediate work.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger conditions are extremely broad, including greetings, vague short inputs, and generic help phrases, and they instruct the LLM to immediately show the menu. In a shared assistant context this can hijack unrelated conversations, override user intent, and force this skill to interpose itself when not explicitly requested.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The natural-language routing rules use broad keywords without clear scope boundaries, so common terms like 'ζ¨‘εž‹', 'ζ”Ώη­–', or '整理' could route ordinary discussion into specialized workflows. This can cause unintended task execution, collection of extra user data, or activation of downstream skills the user did not knowingly select.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow says to 'immediately' generate and write multiple files after collecting answers, but it does not require a user-facing warning or explicit confirmation that persistent data will be stored. This creates a consent and privacy problem because users may believe they are only answering setup questions, not authorizing durable writes that shape future sessions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Mandatory checkpoint and task-state writes occur without any explicit user-facing warning or consent gate, so the model is instructed to persist ongoing content and status silently. This is dangerous because users may assume a conversational analysis tool is non-persistent, while the skill instead records intermediate work products and metadata to disk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The archive step mandates writing complete outputs to workspace paths but does not require explicit warning or approval from the user before persistence. For research workflows, those outputs may contain confidential inputs, strategic analysis, or customer data, making silent archival a meaningful privacy and operational risk.

Missing User Warnings

Low
Confidence
90% confidence
Finding
Updating task tracking files without a user-facing warning is an undisclosed side effect, though the sensitivity is somewhat lower than full content archival. It can still leak workflow status, create audit artifacts, or interfere with existing task systems in the workspace.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The file mandates a Chinese-only preamble and labels it as compulsory before any output, without offering a language-choice mechanism or requiring alignment to the user's language. In an agent skill, this can cause policy and UX violations by forcing unexpected language output and making users disclose clarifications in an unintended locale.

Vague Triggers

High
Confidence
96% confidence
Finding
This section explicitly instructs the model to trigger on vague, everyday phrasing and to prefer over-triggering. In an agentic skill, broad semantic matching can be abused to force unintended workflow activation, causing the model to bypass normal user-intent disambiguation and invoke research actions in contexts where they were not requested.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger tables define many activation phrases but provide few scope boundaries, exclusions, or disambiguation rules. That makes the activation surface overly permissive, so ordinary discussion about a company or market topic may be interpreted as a command to run one or more skills, which can lead to prompt-routing abuse and unreliable behavior.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill explicitly permits activation from very sparse inputs such as a vague request or a generic action, then proceeds with automatic routing and default assumptions. In an agent setting, this creates scope ambiguity and increases the chance of unintended skill invocation, misrouting, or producing high-confidence research output from insufficiently specified user intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Using generic phrases like 'ζ€ŽδΉˆηœ‹ / ε€ΌδΈε€ΌεΎ—ηœ‹ / η»™δΈͺεˆ€ζ–­' as company-routing triggers is overly permissive because such language appears in ordinary conversation and may not reliably indicate a request for autonomous investment analysis. This can cause accidental activation and unauthorized or unintended generation of decision-oriented financial content.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The routing section relies on broad keyword buckets for earnings, models, events, and roadshows without scope constraints, precedence rules for overlaps, or negative examples. In a multi-skill harness, this makes prompt-driven control flow easy to steer unintentionally, leading to incorrect toolchain selection, overcollection of context, or production of misleading analysis under the wrong workflow.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill mandates access to `biases.md` without warning the user that personal or user-specific data will be read during execution. Hidden access to user data undermines transparency and informed consent, and in this context is more concerning because the file appears to contain psychologically or strategically sensitive bias information that could influence outputs or leak private context.

Ssd 3

Medium
Confidence
92% confidence
Finding
The dual-output rule requires the full task content to be echoed in chat as well as written to disk, increasing exposure beyond the minimum necessary. If the task includes sensitive analysis, internal data, or user-provided confidential material, duplicating it in multiple channels expands the chance of accidental disclosure, logging, or downstream reuse.

Ssd 3

Medium
Confidence
95% confidence
Finding
Checkpoint and progress logging require persistent recording of ongoing task content and status, creating unnecessary semantic retention of user work-in-progress. This increases the attack surface for later leakage, mishandling, or unintended reuse of partial and potentially sensitive material.

Ssd 3

Medium
Confidence
95% confidence
Finding
Step 0 instructs the agent to read and update `.task-pulse`, create task IDs, checkpoints, and carry task metadata across interactions. This creates persistent natural-language storage of user requests and targets, which can expose prior user context to later sessions, other users in a shared workspace, or downstream outputs without explicit consent.

Ssd 3

Medium
Confidence
96% confidence
Finding
The historical-output step explicitly tells the agent to read prior outputs and reuse their conclusions as inputs for the current task. In a research harness, that increases the chance of unintentionally resurfacing sensitive or proprietary content from earlier work, and it can propagate stale or confidential context into unrelated or insufficiently authorized sessions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.