Back to skill

Security audit

Work Productivity Multi Search Workflow Helper

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only workflow helper with overly broad activation wording, but no executable code, persistence, credential handling, or hidden data movement.

Install only if you want a general helper for multi-search-engine workflow planning. Be aware it may activate on broad search-related requests; use explicit skill invocation or disable implicit invocation if your agent environment supports that.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are broad, repetitive, and include generic terms like "multi", "search", and "engine", which can cause the skill to be invoked in contexts unrelated to the intended workflow. In an agent ecosystem, unintended invocation can route user requests into the wrong skill, producing incorrect actions, confusing outputs, or bypassing more appropriate safeguards in specialized skills.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger keywords and sample invocations are overly generic terms such as "multi", "search", "engine", and "bug fix", which can match many unrelated user requests and cause unintended activation. In an agent environment, accidental invocation can route user input into the wrong workflow, leading to inappropriate actions, confusion, or unsafe chaining with other capabilities.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger list is overly broad and includes generic terms like "multi," "search," and "engine," which are likely to match many unrelated user requests. This can cause unintended skill activation, leading the agent to apply the wrong workflow, override more appropriate skills, or inject irrelevant instructions into normal conversations.

Vague Triggers

High
Confidence
95% confidence
Finding
The example trigger sentences are also extremely broad and natural-language-like, making accidental invocation more likely during ordinary user interactions. Because they resemble common requests rather than tightly scoped commands, they increase prompt-routing ambiguity and can cause this skill to activate outside its intended context.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger list includes extremely generic terms such as "multi", "search", "engine", and "supports", which are common in many unrelated user requests. This can cause unintended activation of the skill, leading the agent to route tasks into the wrong workflow and potentially override more appropriate or safer skills.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation description says to use the skill when users mention broad categories like work-productivity, multi, search, or engine, without clearly defining scope. That ambiguity increases the chance of accidental invocation and misrouting, especially in systems that rely on textual descriptions for tool selection.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The default prompt is highly generic and broad, combining many loosely related terms and a truncated description rather than a narrowly scoped task trigger. This can cause the agent framework to invoke the skill in unrelated contexts, increasing the chance of prompt/skill confusion, accidental data exposure to the skill, or execution of the wrong workflow.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Enabling implicit invocation without tight trigger constraints allows the platform to auto-select this skill based on vague relevance matches. In a broadly described productivity/search skill, that increases the risk of unintended invocation, where unrelated user requests may be routed through this skill and expose context or produce unsafe, off-target actions.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger sentences are broad enough to match many ordinary user requests containing generic terms like 'help', 'workflow', 'multi', 'search', or 'engine', which can cause the skill to activate outside its intended scope. Overbroad activation increases the risk of incorrect routing, unintended invocation, and prompt-surface expansion, especially in agent ecosystems where skills may gain access to user context or downstream tools automatically.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.