Security audit

Qa Test Workflow

Security checks across malware telemetry and agentic risk

Overview

This QA workflow is mostly coherent, but it can automatically read requirement files, directories, referenced child documents, absolute paths, and URLs without clear user confirmation or tight scoping.

Install only if you are comfortable with the agent reading the requirement files and linked resources you provide. Before use, explicitly limit it to a specific folder or document set, review referenced child documents before allowing ingestion, and avoid pointing it at directories that may contain unrelated private or sensitive files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The workflow definition is internally inconsistent: step numbers, ordering, and required stages differ across the '标准化工作流', '调用链总览', and '执行指令' sections. In an orchestrator skill, contradictory execution intent can cause the agent to skip validation, run reporting before validation, or invoke the wrong dependent skills, resulting in unreliable or policy-bypassing behavior.

Vague Triggers

High

Confidence: 94% confidence
Finding: The auto-trigger description uses broad phrases like requests for testing help, uploaded requirement documents, or provided URLs, which can match many ordinary user interactions. In a high-privilege orchestration skill with file, web, and shell-capable tools, overbroad activation can cause unintended workflow execution, unnecessary document ingestion, and accidental expansion of the agent's operational scope.

Vague Triggers

High

Confidence: 95% confidence
Finding: The when_to_use field lists vague trigger phrases such as '帮我测试', '开始测试', and '上传需求', without defining boundaries, exclusions, or required context. This makes accidental invocation likely and is especially risky because the skill orchestrates many downstream skills and can consume local files or remote URLs once activated.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The routing rules explicitly direct the skill to read uploaded files, fetch URLs, and process document directories, but they do not require any user-facing disclosure, confirmation, or scoping limits before accessing additional data. In an agent workflow, this can cause unexpected local file access or network retrieval beyond what a user reasonably intended, increasing the risk of over-collection of sensitive data and unintended external requests.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The document mandates automatically reading all referenced child documents and merging them for analysis, including relative paths, absolute paths, directories, attachments, and mixed formats. This creates expansive transitive file access behavior that can pull in more content than the user explicitly supplied, potentially exposing unrelated sensitive files or causing the agent to process untrusted linked material without clear authorization boundaries.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal