Security audit

Essential Skills Package

Security checks across malware telemetry and agentic risk

Overview

This is a broad instruction-only productivity skill with disclosed examples for research, coding, and automation, and no hidden code or install behavior.

Install only if you want a broad helper skill. Avoid putting secrets or private data into web searches, review generated code changes before applying them, and approve any cron or scheduled task explicitly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill describes very broad capabilities across research, development, and automation without defining when it should or should not activate. In an agentic system, this can cause over-triggering on unrelated user requests, increasing the chance the skill invokes powerful tools or influences behavior outside its intended scope.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The generic call to action invites the model to apply the skill to almost any task type, without constraints or guardrails. This broad prompt can bias an agent toward selecting the skill by default, which raises the risk of unnecessary tool use, unintended automation, or misalignment with user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.