Back to skill

Security audit

Sofagent Publish

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a workflow/orchestration assistant, but it gives itself broad activation, persistent local state, remote prompt/template loading, and local script execution without clear user control.

Install only if you are comfortable with a workflow skill that may persist task history and internal reflections to local files, reuse cached workflow plans, fetch role templates from GitHub, and run local check scripts. Review and constrain the file paths, disable or gate persistence where possible, and avoid using it with sensitive prompts or private project data until those behaviors are clearly disclosed and controllable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill expands its scope from internal behavioral constraints into network retrieval by instructing the agent to access an external GitHub repository for role templates. That creates an unnecessary supply-chain and prompt-injection surface, because remote content can change independently and influence downstream agent behavior.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs execution of local shell scripts for closure and budget checks, which grants the agent operational capability beyond reflection/constraint logic. Even if the scripts are intended as safety checks, invoking filesystem-discovered scripts can execute unintended or tampered code and broaden the attack surface.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger and scenario definitions are broad and overlapping, so the skill may auto-activate in many normal workflows such as multi-file edits or vaguely 'high-risk' tasks. Because the skill injects persistent behavioral rules and directs the agent to load additional local files with high priority, ambiguous invocation expands the chance of unintended instruction precedence, user confusion, and workflow interference across unrelated sessions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The guidance says the skill description should be written as trigger conditions ('什么时候用') and warns that otherwise the skill may never be triggered, but it provides no concrete constraints, negative examples, or scope limits. In an agentic system, overly broad trigger wording can cause the orchestrator or model to invoke the skill in many unrelated or risky situations, expanding the skill's influence beyond its intended use and making misfires more likely.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation logic uses broad enterprise-related phrases such as workflow planning and deployment-adjacent terms as weak signals, which can cause the skill to activate in ordinary discussions that are not actually FDE engagements. In this skill, unintended activation is operationally risky because activation triggers a structured guidance flow, document generation, and downstream orchestration inputs, increasing the chance of inappropriate scope expansion or unwanted file creation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to write execution results, timing, success/failure status, and reflection content into local files such as task/logs and think.md, but the skill metadata shown to users does not warn about this persistence. This is dangerous because it can silently store sensitive operational context, prompts, file paths, or task history on disk, creating privacy, data retention, and cross-task leakage risks.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill reuses and may create workflow cache files under orchestrator/workflows/<hash>.yaml, but this behavior is not disclosed in the skill description. Undocumented cache creation is risky because cached plans may contain sensitive task structure or stale execution logic, and reuse across runs can expose prior context or cause unintended behavior when environments change.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The file is entirely written in Chinese and repeatedly instructs the agent to operate using internal Chinese-language workflow terms without any user choice or fallback. In a general-purpose skill, this can cause the agent to ignore user language preference, reduce transparency, and increase the chance of misunderstanding safety-critical steps or hidden operational behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file explicitly instructs the agent to append records to task logs and additional state files (think.md, scoring/_index.md, orchestrator/) as a mandatory step before responding, but it does not require user consent or even a user-facing notice that local data will be modified. In an agent skill, this creates a real integrity and privacy risk because routine task completion causes persistent writes across multiple local files, potentially exposing sensitive task metadata and altering state outside the user's immediate awareness.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.