Security audit

Unit Test Coverage Helper

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only testing helper whose behavior matches its unit-test coverage purpose, with only minor routing overbreadth to watch for.

Install this if you want an agent to help plan and add unit or regression tests. Be aware that its broad trigger wording may make it activate for general quality-related development requests, so prefer invoking it explicitly when you want testing help.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger list includes very broad terms such as "quality" and common testing words that can appear in many unrelated requests, increasing the chance this skill is invoked when the user did not specifically intend it. Over-broad activation can misroute tasks, cause irrelevant guidance to be applied, and in agentic systems may crowd out a more appropriate skill.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The manifest description says to use the skill whenever a user needs practical workflow, code, checklist, documentation, or review support for this job, which is expansive enough to match a wide range of ordinary development requests. In systems that auto-select skills from descriptions, this broad wording can lead to unintended invocation and unnecessary authority or context exposure.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger list includes the standalone keyword "quality", which is overly broad and can match many ordinary requests unrelated to unit testing or coverage work. This can cause accidental invocation of the skill in inappropriate contexts, leading to misrouting, unnecessary file/code inspection, or generation of irrelevant testing guidance.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The default invocation phrase is broad enough to match ordinary user requests about adding regression tests for bug fixes, which can cause the skill to be implicitly invoked in situations where the user did not explicitly request this specific agent behavior. Because implicit invocation is enabled, this increases the chance of over-triggering and unintended routing, which can affect user intent handling and expand the skill's influence beyond narrow test-coverage tasks.

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger sentence at line 80 is overly broad and includes generic phrasing that could match ordinary user language rather than an intentional request to invoke this specific skill. That creates a prompt-routing risk where the agent may activate the testing skill unexpectedly, leading to irrelevant actions, confusion, or unintended access to repository context during automated orchestration.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The invocation guidance does not define clear boundaries for when the skill should and should not run, and the examples are broad enough to overlap with normal conversation. In a multi-skill agent environment, ambiguous routing rules increase the chance of accidental invocation, mis-prioritization over safer or more relevant skills, and unintended processing of project files.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal