Back to skill

Security audit

Unit Test Generator / 单元测试生成

Security checks across malware telemetry and agentic risk

Overview

This skill claims to generate unit tests but mostly contains generic promotional content and unrelated external affiliate links instead of usable testing instructions.

Review carefully before installing. This skill does not appear to implement or explain a real unit-test generation workflow, and it includes unrelated promotional links. There is no evidence of malware, persistence, or credential theft, but the purpose mismatch and advertising make it unsuitable to trust as a testing automation skill without revision.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The manifest claims this is a unit-test generation skill, but the body provides almost no operational instructions and is dominated by generic marketing copy. This mismatch can mislead users or orchestrators into invoking an undeclared or nonexistent capability, weakening trust, reviewability, and safe routing of the skill.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill embeds unrelated external advertising and affiliate-style links, including hosting and trading promotions, which are not justified by a unit-test generation function. In an agent ecosystem, this creates a social-engineering and trust-boundary risk by encouraging clicks to external sites and monetizing skill execution context for purposes unrelated to the user task.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description is overly broad and lacks concrete invocation criteria, trigger boundaries, or scope limits. This can cause an agent to invoke the skill inappropriately or too often, increasing the chance of unsafe delegation, user confusion, or accidental execution of an unreviewed capability.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.