Spec-First Development

Security checks across malware telemetry and agentic risk

Overview

This skill is a planning workflow that reads a project and writes a spec document before coding, with no hidden installer, credential use, or external data flow found.

Install this if you want a spec-first workflow. Be aware that it can inspect files in the current project and create or modify SPEC.md, and that it may trigger from broad build requests; review the generated spec before approving any coding.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The auto-trigger phrases are broad enough to activate on many ordinary requests, which can cause the skill to run unexpectedly and create or modify files without the user's specific intent to invoke this workflow. In this skill's context, unintended activation is more concerning because the workflow proceeds to inspect the codebase and write SPEC.md, increasing the chance of surprise filesystem changes and unnecessary project-wide analysis.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The skill instructs writing SPEC.md to disk before implementation, but it does not clearly warn the user up front that a new file will be created as part of the process. Even though the file is not inherently dangerous, silent or implicit file creation can violate user expectations, clutter repositories, and in some environments trigger downstream automation or commits.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal