Back to plugin

Security audit

Agent Workflow

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed workflow-management plugin that stores local workflow state and guides agents through planning, execution, review, and delivery without evidence of hidden network access, credential use, or destructive behavior.

Install this when you want structured, persistent agent workflows. Review the local storage location because workflow names, notes, and outputs may persist across sessions, and keep an eye on broad process skills like verification or debugging if you prefer lightweight handling for small tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (9)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill text expands its process to 'every task', which conflicts with the manifest's narrow trigger condition for brainstorming-only use. This creates instruction-scope drift: if selected, the skill can inappropriately force design-first behavior onto routine or execution-oriented requests, potentially blocking intended workflows and causing the agent to ignore user intent.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The hard gate prohibits execution or deliverables before design approval, but nearby instructions require exploring project context and later mandate task creation and ordered completion. This contradiction can lead the agent to interpret pre-approval file inspection or task persistence as allowed despite the gate, weakening safety boundaries and making behavior unpredictable.

Session Persistence

Medium
Category
Rogue Agent
Content
## Checklist

You MUST create a task for each of these items and complete them in order:

1. **Explore project context** — check existing files, docs, prior work
2. **Ask clarifying questions** — one at a time, understand purpose/constraints/success criteria
Confidence
81% confidence
Finding
create a task for

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The skill contains contradictory cleanup guidance: earlier text says Option 2 keeps the working copy until review is complete, but the later 'Always' section says to clean up for Options 1 and 4 only. This inconsistency can cause the agent to either skip intended cleanup or clean up at the wrong time, increasing the chance of accidental data retention or premature deletion.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest narrowly limits this skill to concrete, reproducible debugging, but the body expands applicability to 'ANY unexpected situation,' which can cause the agent to invoke a rigid debugging workflow in contexts outside its approved scope. This kind of scope drift is dangerous because it can override higher-level routing expectations, leading to misapplication, delayed responses, and inappropriate behavior on non-debugging tasks.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill instructs use even when issues seem simple or urgent, which undermines the manifest's exclusions against straightforward one-step tasks and situations where the user wants immediate simple fixes. In an agentic system, this can bias the model toward unnecessarily invoking a heavyweight troubleshooting process, causing denial-of-service-by-friction, user frustration, and reduced compliance with intended tool-routing constraints.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The manifest description uses very broad trigger language such as "before wrapping up any task" and "delivering results," which can cause the skill to activate in many ordinary contexts. Over-broad activation can coerce agent behavior, inject procedural constraints into unrelated tasks, and increase the chance that higher-priority workflows are interrupted or steered unexpectedly.

Self-Modification

High
Category
Rogue Agent
Content
| **Refactor** | Close loopholes while maintaining compliance |
| **Write test first** | Run baseline scenario BEFORE writing skill |
| **Watch it fail** | Document exact rationalizations agent uses |
| **Minimal code** | Write skill addressing those specific violations |
| **Watch it pass** | Verify agent now complies |
| **Refactor cycle** | Find new rationalizations → plug → re-verify |
Confidence
85% confidence
Finding
Write skill

Self-Modification

High
Category
Rogue Agent
Content
1. **Find new rationalizations** — Run variations of the pressure scenario
2. **Document new violations** — Add to Red Flags section
3. **Plug loopholes** — Update skill, re-verify
4. **Repeat** until no new violations found in 3 consecutive runs

## Skill Structure
Confidence
85% confidence
Finding
Update skill

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.