Security audit

Quack Workflow Engine

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it can upload local workflow files to an external service and run workflows that may post publicly without a review step.

Install only if you understand that workflow YAML files are sent to orchestrate.us.com and may trigger actions in connected services. Review every workflow before running it, use --dry first, keep secrets out of workflow files, and add a manual approval step before any workflow posts publicly or changes external accounts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrase 'orchestrate' is extremely generic and likely to appear in ordinary user requests about planning or coordinating tasks, which can cause unintended skill activation. Because this skill can execute multi-step workflows against an external platform, accidental invocation increases the chance of unauthorized actions or execution of unreviewed workflow files.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The phrase 'multi-step' is a common descriptive term rather than a clear invocation boundary, so benign requests could incorrectly route into this skill. In this context, mistaken activation is risky because the skill is designed to run automation workflows, potentially chaining actions across services without the user intending to invoke this capability.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger 'parallel tasks' is broad and can match many harmless productivity conversations, creating ambiguity about when the skill should activate. Since the skill enables parallelized workflow execution and external API use, an overly permissive trigger can broaden the attack surface and lead to unintended automated operations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script posts the full workflow file contents to a remote service, but it does not clearly warn the user that local file data will leave the machine. Because workflow files may contain secrets, prompts, internal URLs, or operational logic, this can cause unintended data disclosure, especially when users assume the tool is purely local.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The workflow automatically posts LLM-generated content to Twitter with no user confirmation, preview, or disclosure that an external side effect will occur. Because the post content is derived from web search results and model output, mistakes, prompt-injected content, or misleading summaries could be published directly to a public account without operator review.

Shadow Command Trigger

Medium

Category: Trigger Abuse
Confidence: 84% confidence
Finding: The trigger 'run workflow' partially overlaps with the built-in command vocabulary around 'run', creating a shadowing risk where the skill may intercept requests intended for other execution paths. In a skill that launches workflows from files and interacts with an external orchestration service, this conflict can cause unexpected command routing and unintended execution behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal