Security audit

Qa Req Deconstruction

Security checks across malware telemetry and agentic risk

Overview

This is a requirement-analysis skill that reads user-provided requirement text, files, or URLs and produces structured QA analysis without installing code or making changes.

Install if you want structured QA analysis of requirement documents. Only provide files or URLs you are comfortable having the agent read, and review linked content sources before asking the skill to fetch them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill’s activation conditions are broad enough to trigger on common phrases like '分析这个需求' or when a PRD is uploaded, which can cause the agent to engage this skill in ordinary conversation without clear user intent for deep document analysis. This increases the chance of unnecessary file access and downstream processing of sensitive requirement documents, especially when combined with permissive tool access and automatic workflow chaining.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The workflow explicitly instructs the skill to read uploaded files and fetch URL content, but it does not require notifying the user, obtaining confirmation, or distinguishing local versus external data access. This can lead to unintended exposure of sensitive documents, surprise network requests, or retrieval of attacker-controlled remote content during routine analysis.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal