Back to skill

Security audit

Agent Orchestrator 0.1.0

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned, but it asks an agent to spawn autonomous sub-agents with file, command, and cleanup authority without enough scope or approval controls.

Review this before installing if you use agents on sensitive repositories or data. Only run it with an explicit orchestration request, a dedicated workspace, a cap on spawned agents, reviewed generated SKILL.md files, and confirmation before Bash commands, edits outside the workspace, archiving, or cleanup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The mandatory trigger list contains broad phrases like 'orchestrate', 'delegate tasks', and 'task breakdown' that can match many ordinary requests and cause this powerful skill to activate unexpectedly. In this skill’s context, over-triggering is more dangerous than usual because activation can lead to autonomous sub-agent creation, file generation, task delegation, and workspace modification without the user explicitly asking for those behaviors.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to create workspaces and generate files via scripts, but it does not warn that these actions modify the filesystem or may copy sensitive inputs into new locations. In an orchestration skill, this omission is risky because users may invoke it for planning help while the skill proceeds into operational file creation and replication steps that broaden data exposure and change local state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs autonomous sub-agents to read instructions and inputs from inbox files and write outputs/status updates to outbox and status files, but it does not warn about the trust boundary or risks of propagating adversarial content through generated SKILL.md and task files. This is especially dangerous in a meta-agent context because dynamically generated instructions can amplify prompt injection, cause unintended actions across multiple agents, and spread sensitive data through file-based coordination.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The dissolution phase includes archival and cleanup actions that may modify, move, or remove temporary agent data, but the skill does not clearly warn users about potential data loss, retention, or accidental cleanup of important artifacts. In this orchestration setting, many transient workspaces may contain intermediate results or copied inputs, so unclear cleanup behavior increases the risk of losing needed data or retaining sensitive data longer than intended.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The research-agent template is framed as a broadly autonomous agent that gathers information from web and local sources, but it provides no invocation boundaries, authorization checks, or narrowing triggers. In an agent-orchestrator skill that dynamically generates sub-agent SKILL.md files, this broad wording increases the risk of overbroad delegation, unintended activation, and unsafe access to sensitive local context or untrusted web content.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The code-agent template allows file operations and Bash execution for implementation tasks, yet its description is generic and lacks explicit activation constraints or safety guardrails. In this orchestrator context, that means dynamically spawned coding agents could be invoked for overly broad tasks and run commands or modify files outside intended scope, creating meaningful risk of unsafe code execution or repository damage.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The analysis-agent template is described in broad terms and includes Bash-based script execution without specifying trusted inputs, data boundaries, or safe execution constraints. In a system built to decompose tasks automatically, such ambiguity can lead to processing of untrusted data or execution of analysis scripts beyond intended scope, increasing exposure to misuse and data leakage.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The writer-agent template is broadly described as autonomous content creation and permits use of additional skills, but it does not define activation boundaries, trusted source requirements, or constraints on output targets. In an orchestrated multi-agent system, this can enable overbroad delegation and propagation of unreviewed or sensitive material into generated documents.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The review-agent template is nominally for QA, but the broad description and permission to make corrections can blur the boundary between review and modification without clear authorization conditions. Within an autonomous orchestrator, that ambiguity can lead to unintended edits, silent content changes, or approval decisions being made outside expected governance.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The integration-agent template can read multiple agent outputs and use Bash merge/diff tools, but its description does not define trust boundaries, permitted sources, or conflict-resolution constraints. In this meta-agent skill, that is especially dangerous because a broadly scoped integration agent can aggregate sensitive data across sub-agents, overwrite outputs, or merge malicious content from compromised agent outboxes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal