Security audit

Qa Team Skills

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only QA workflow skill whose sensitive data handling is disclosed and user-directed, though users should redact business data and confirm broad command routing.

Install only if you want QA workflow prompts to process testing artifacts. Redact customer, merchant, employee, order, token, and screenshot data; use read-only short-lived Jira/ZenTao tokens; verify domains before running generated curl commands; and confirm the selected QA command when a request is broad.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The changelog explicitly describes using a "pushy" strategy to increase Claude invocation rate, which indicates deliberate optimization for more aggressive activation rather than strictly user-intent-driven routing. In a skill system, this can cause over-triggering, reduced user agency, and unintended execution of QA workflows on ambiguous prompts, especially since the skill is broadly scoped across many QA activities.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger example "帮我看下这个需求" is very short and underspecified, so it can cause /qa-prd to activate on generic 'look at this requirement' requests without clear testing or review intent. In a skill designed to auto-route QA workflows, broad examples increase accidental invocation risk and can misroute unrelated conversations into this skill.

Vague Triggers

High

Confidence: 97% confidence
Finding: The trigger example "写个报告" is extremely vague and lacks any QA or testing context, making /qa-report likely to activate for many unrelated reporting requests. Because this skill is mandated across broad QA scenarios, such an unconstrained example materially raises the chance of false triggering and unintended command routing.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The example embeds realistic payment troubleshooting content, including a concrete order identifier, payment amount, timestamps, and instructions to collect merchant backend and payment-platform screenshots. In a QA skill, this can normalize copying potentially sensitive transactional data into prompts or reports without any warning, redaction guidance, or data-handling constraints, increasing the risk of exposing customer, merchant, or financial information to the AI system or downstream logs.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill documents automatic routing based on very broad keywords like “进度” and “准出”, which can cause unintended invocation of the team-management capability when a user mentions those terms in a different context. In an agent system, overly broad triggers increase the chance of prompt/context hijacking, wrong-tool activation, or accidental processing of sensitive project data under the wrong workflow.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal