Unit Test Coverage Helper

Security checks across malware telemetry and agentic risk

Overview

This is a plain unit-test coverage helper; its main issue is loose activation wording, not malicious behavior.

Safe to install if you want help with unit tests and coverage. Because the trigger wording is broad and implicit invocation is enabled, prefer invoking it explicitly for testing work and review any proposed code changes before applying them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (10)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger sentences are broad and generic enough that the skill may activate in situations only loosely related to unit testing or coverage work. Overly permissive activation can cause unintended routing, where unrelated software requests are handled by this skill and produce incorrect guidance, wasted actions, or context leakage across tasks.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrases are broad and natural-language based, including generic requests like 'Help me' and 'I need a practical workflow', which increases the chance the skill is invoked unintentionally for loosely related requests. In an agent ecosystem, over-broad routing can cause the wrong skill to activate, leading to misleading outputs, unnecessary file/code handling, or unexpected workflow execution.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The description and use guidance are broad enough to activate on very common software-help requests, which can cause this skill to be selected outside its intended scope. Over-broad routing is dangerous because it can overshadow more appropriate skills, increase prompt-surface exposure, and lead to irrelevant or lower-quality assistance in security- or code-sensitive contexts.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger keywords include generic terms like 'testing', 'regression', and 'quality' without boundaries, making accidental activation likely across many unrelated requests. This increases misrouting risk and may expose users to an unsuitable workflow or cause the agent to prefer this skill in contexts where another skill should handle the task.

Vague Triggers

Low

Confidence: 84% confidence
Finding: The example trigger phrases use ambiguous lead-ins like 'Help me' and 'I need a practical workflow', which are common across many user intents and do not clearly signal a unit-test-coverage-specific need. While less severe than the broad keywords, they reinforce loose matching behavior and can contribute to unnecessary or incorrect skill invocation.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger section uses very broad keywords such as 'software-and-data', 'testing', and 'quality' without clear scope boundaries or disambiguation rules. This can cause the skill to activate in unintended contexts, leading the agent to apply this workflow when the user wanted something else, which is a prompt-routing and reliability risk rather than a code-execution issue.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The default prompt uses very broad terms such as software, unit tests, test coverage, testing, regression, workflow, artifact, checklist, analysis, and implementation support. Because these phrases overlap with common developer requests, the skill may be invoked in situations the user did not explicitly intend, expanding its influence over unrelated conversations and increasing prompt-routing risk.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: Enabling implicit invocation without tight activation constraints allows the platform to auto-select this skill based on ambiguous language. In a broadly scoped developer context, that can cause unintended invocation, inappropriate context access, or over-application of the skill to normal engineering conversations where the user did not ask for it.

Vague Triggers

High

Confidence: 92% confidence
Finding: The trigger sentence begins with a very broad phrase ('Help me'), which can cause the skill to activate in many unrelated conversations. Overbroad activation increases the chance of inappropriate invocation, unintended context capture, and workflow hijacking where the agent applies testing guidance when the user did not actually request this specific skill.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger section is ambiguous because it mixes keywords, generic request forms, and a templated invocation without clearly defining when the skill should or should not run. This ambiguity can lead to accidental activation on general software questions, causing misrouting and reducing the reliability of skill selection in multi-skill environments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal