Back to skill

Security audit

Work Productivity Skill Vetter Workflow Helper

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only workflow for reviewing skills, with no executable code or credential handling, though some trigger text is broader than it should be.

Before installing, be aware that this skill may be invoked more often than intended because some trigger text is broad. It is otherwise a low-risk workflow helper: use it for explicit skill vetting tasks, and revise the trigger keywords if you want tighter routing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are extremely broad, awkwardly phrased, and include generic terms like 'help me', 'practical workflow', and 'before installing', which can cause the skill to activate in contexts far beyond its intended scope. In a skill that influences security vetting decisions, accidental invocation can misroute unrelated user requests into this workflow, leading to inappropriate guidance, user confusion, or unsafe trust in irrelevant review outputs.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are very broad and generic, so the skill may activate in situations where the user did not explicitly intend to invoke a vetting workflow. In a security-related skill, overbroad activation can cause unintended handling of sensitive repositories, code, or review tasks, increasing the chance of inappropriate recommendations or unexpected execution paths.

Vague Triggers

High
Confidence
97% confidence
Finding
触发关键词包含极其常见的通用词,如“security”、“first”、“before”、“github”、“bug fix”,会让技能在大量无关对话中被误触发。对一个“vetter/workflow helper”类技能而言,这会扩大其介入面,导致错误路由、误导性建议覆盖更合适的技能,甚至在安全相关上下文中造成评估噪声。

Vague Triggers

Medium
Confidence
90% confidence
Finding
描述中的调用条件较宽泛,如“当用户提出 work-productivity, skill-vetter, vetter, security, first,或需要围绕该需求获得实用流程...”缺少清晰边界,容易把普通生产力、安全或排序相关请求都吸纳进来。这种模糊路由会造成技能选择错误,降低系统可预测性,并可能让不适合的工作流处理敏感安全话题。

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill enables implicit invocation with no visible activation boundaries or narrowing conditions in this file, so it may be triggered in situations broader than intended. Because this skill is designed to review other skills, overly broad activation could cause it to inspect or influence unrelated user workflows, increasing the chance of unintended data exposure, confusing tool selection, or unsafe automated vetting decisions.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger sentences are generic enough to match ordinary user requests about workflows, bug fixing, hardening, or GitHub-related help, which can cause the skill to activate outside its intended scope. In a vetting/security-oriented skill, over-broad invocation increases the chance of misrouting sensitive analysis tasks, creating confusing or unsafe automation behavior and masking the user's true intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.