Qa Test Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a software testing helper with read/search-only access and no evidence of hidden, destructive, or data-stealing behavior.

Install this if you want QA workflow and test-case generation help. Provide only the requirements or project files you want the agent to read, and inspect any external GitHub scripts before running them because they are referenced but not included in this artifact.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The `when_to_use` trigger uses broad natural-language phrases like “软件测试”, “测试用例”, and “测试设计”, which can match many ordinary requests and cause the skill to activate outside its intended scope. Because this skill orchestrates a large set of related testing capabilities, unintended invocation can steer the agent into using an expansive workflow the user did not explicitly request, increasing prompt-scope creep and the chance of inappropriate tool-assisted behavior.

Vague Triggers

Low

Confidence: 88% confidence
Finding: The invocation examples use common phrases such as “请帮我测试这个项目” and “帮我设计测试用例”, which are broad enough to normalize activation on underspecified requests. In practice this can cause the assistant to assume permission to run a full testing skillchain or request external artifacts when the user may have intended a narrower question, creating unnecessary overreach rather than a direct exploit.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal