Back to skill

Security audit

Software Data Admapix Raw Developer Helper

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only workflow helper with overly broad auto-invocation wording, but no evidence of malware, data theft, persistence, or destructive behavior.

Install only if you want a broad AdMapix-style software/data workflow helper. Be aware it may be selected for generic data or bug-fix requests because its triggers are loose; users who need precise routing should narrow the trigger wording or disable implicit invocation before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad enough to match common software-help requests such as generic workflow, bug-fix, or implementation support queries. In an agent-routing environment, this can cause the skill to be invoked outside its intended scope, exposing users to irrelevant instructions, accidental prompt capture, or unsafe cross-domain behavior if the skill is later expanded with more powerful actions.

Vague Triggers

High
Confidence
93% confidence
Finding
The documented trigger phrases are broad enough to match ordinary user requests such as generic workflow help, bug fixing, or software/data support, which can cause the skill to activate outside its intended scope. Over-broad activation increases the chance of misrouting conversations, invoking the wrong workflow, and exposing users to unintended instructions or outputs in unrelated contexts.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The manifest description uses broad activation terms such as 'software-and-data', 'raw', 'data', 'layer', and generic requests for workflows, artifacts, checklists, or analysis. This can cause the skill to trigger on many ordinary user requests outside its intended scope, leading to inappropriate invocation, prompt hijacking of routing behavior, or accidental exposure of users to irrelevant or lower-safety guidance.

Vague Triggers

Medium
Confidence
98% confidence
Finding
The trigger list includes very generic keywords like 'raw', 'data', 'layer', 'apps', and 'bug fix', which are common across many unrelated requests. In a skill-routing system, such vague triggers can overmatch benign traffic and cause this skill to intercept requests it was not designed to handle, degrading reliability and potentially bypassing more appropriate specialized skills.

Vague Triggers

High
Confidence
94% confidence
Finding
触发关键词包含 raw、data、layer、apps 等高度通用词,容易与大量普通请求重叠,导致技能在与 AdMapix 场景无关的对话中被误触发。误触发会把用户带入不相关的工作流,增加错误建议、上下文污染和越权处理敏感软件/数据任务的概率。

Vague Triggers

High
Confidence
91% confidence
Finding
技能描述将适用条件表述为 software-and-data、admapix、raw、data、layer 或需要实用流程/分析/实现支持时使用,其中多项条件过于宽泛,几乎可覆盖任意软件或数据类请求。这会扩大技能调用面,造成路由错误、与其他更适配技能冲突,并可能在不合适场景下输出带有操作性的工程建议。

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill enables allow_implicit_invocation without any visible trigger constraints, which means the agent may auto-select this skill in broader contexts than intended. Because this skill is framed as a general-purpose helper for software, data, workflows, implementation support, and adjacent tasks, overly broad automatic invocation increases the chance of unintended activation, prompt-scope expansion, and unsafe handling of unrelated user requests.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger sentence begins with a generic phrase like "Help me," which is ordinary conversational language and can match many unrelated user requests. In a skill-routing system, this can cause accidental invocation of this skill outside its intended AdMapix/software-data scope, leading to misrouting, confusion, and potentially inappropriate handling of user inputs.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The invocation guidance is too loose and does not clearly bound the skill's activation conditions, combining broad keywords such as "software-and-data," "raw," and "data" with vague trigger examples. This increases the chance that the skill is selected for unrelated tasks, which is especially risky in an agent environment where skill selection may be automated from natural-language prompts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.