Security audit

Let Fate Decide

Security checks across malware telemetry and agentic risk

Overview

This is a self-contained tarot-style tie-breaker skill that uses local randomness and does not show hidden access, persistence, network use, or destructive behavior.

Install this only if you are comfortable with your agent using tarot-style randomness for low-stakes ambiguous choices. Avoid relying on it for security, data integrity, production, financial, or other decisions where stable reasoning and explicit user control matter.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The activation criteria are broad enough that the skill could trigger on common conversational phrases such as 'surprise me' or on loosely defined ambiguity. In practice, this can cause the agent to substitute randomness for deliberate reasoning, leading to inappropriate behavior selection or non-deterministic decisions in contexts where users did not meaningfully consent to that mode.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: Repeating vague trigger phrases in the operational guidance reinforces accidental activation and increases the chance that this skill is invoked in ordinary interactions. Because the skill intentionally injects entropy into planning, accidental use can degrade reliability, reproducibility, and user expectations, especially for tasks that appear subjective but still benefit from stable reasoning.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal