Self-Improving Business

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local business-process logging and reminder skill, with optional broad hooks that users should enable deliberately.

Install this only if you want local business-administration learning logs and optional agent reminders. If enabling hooks in a mixed-use workspace, prefer a narrow matcher or dispatcher instead of the blank matcher, and keep .learnings out of shared repositories when entries may contain sensitive business context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill is presented as a logging/reminder mechanism, but it also documents hook installation that injects behavior on every prompt and an extraction workflow that writes new skill files under `./skills/`. That broader behavior increases the skill’s effective authority and can surprise users or operators who expect passive documentation only, which is a trust and control-boundary issue even if the stated business purpose is non-transactional.

Vague Triggers

Medium

Confidence: 97% confidence
Finding: An empty `matcher` causes the hook to run on every prompt, which makes the skill auto-invoke regardless of user intent or topic. In prompt-injection-sensitive environments, broad automatic activation expands the attack surface, increases noise, and can cause unintended prompt influence across unrelated tasks.

Vague Triggers

Medium

Confidence: 98% confidence
Finding: The advanced hook configuration repeats the same overly broad empty matcher, so both prompt submission and post-tool workflows can activate without meaningful scoping. This increases the chance of pervasive prompt contamination and undesired cross-context behavior, especially when combined with Bash-triggered post-tool hooks.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The template encourages authors to describe trigger conditions in broad, non-operational terms without requiring concrete activation criteria, thresholds, or exclusions. In a business skill system, that can cause over-broad invocation and inappropriate guidance being surfaced in the wrong context, increasing the chance of poor operational decisions or unauthorized process influence.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The minimal template's phrase 'when to use it' is too open-ended and lacks guardrails on scope, preconditions, and prohibited contexts. That makes it easy to create skills that activate in ambiguous situations and provide guidance beyond their intended domain, which is risky in business-administration workflows involving approvals, budgets, or policy interpretation.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The empty `matcher` causes the `UserPromptSubmit` hook to run for every prompt, creating a globally triggered command execution path rather than a narrowly scoped reminder. In this skill, that broad trigger increases the attack surface for unintended execution, noisy persistence, and potential abuse if the referenced script is modified or replaced, even though the documented purpose is only reminder-oriented.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal