Back to skill

Security audit

Research Tools Skill

Security checks across malware telemetry and agentic risk

Overview

This is a plain research-helper skill with broad but disclosed examples for web research, Python analysis, and project setup.

Install this if you want a general research workflow prompt. Treat its Python execution and session-spawn examples as actions that can change your workspace, review commands before running them, and avoid using private datasets, secrets, or untrusted code unless you explicitly intend to.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill is framed as a broad 'research tools' package covering literature search, data analysis, and code development without defining when it should or should not activate. That ambiguity can cause the agent to invoke powerful capabilities in situations where the user did not clearly request them, increasing the chance of unintended web access, code execution, or task spawning.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The examples directly demonstrate `exec` and `sessions_spawn`, which can execute code and create project structures, but provide no warning that these operations may change the system state, consume resources, or run untrusted inputs. In a research context, users may paste external code snippets or topics from papers, making it easier to turn normal workflow guidance into unsafe execution or unintended environment modification.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.