Security audit

Qa Test Estimation

Security checks across malware telemetry and agentic risk

Overview

This appears to be a test-planning estimation skill with broad trigger wording but no evidence of harmful behavior.

Installers should expect the skill to help with QA time estimates, scheduling, and resource planning. Because its activation phrases are broad, users may want to invoke it explicitly for test-effort estimation tasks and clarify when they are discussing general project planning instead.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill’s auto-trigger conditions are broad and include common project-management phrases such as '测试时间', '排期', and '资源规划', which can appear in many ordinary conversations. This increases the chance of unintended invocation, causing the agent to enter a specialized estimation workflow when the user did not explicitly request it, which can misroute assistance or produce irrelevant outputs.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal