Unit Test Coverage Helper

Security checks across malware telemetry and agentic risk

Overview

This is a text-only helper for unit-test coverage work, with broad auto-activation wording but no hidden execution, credential access, persistence, or destructive behavior.

Install this if you want a helper for unit-test and coverage workflows. Be aware it may auto-activate on broad testing or quality requests, so prefer explicit invocation when you want this skill and review any proposed test or code changes before applying them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (10)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger sentences are broad enough to activate on generic requests about testing, workflows, or implementation support, which can cause the skill to run in contexts the user did not explicitly intend. In a multi-skill or agentic environment, ambiguous activation increases the chance of incorrect routing, unnecessary context capture, or the model applying test-coverage guidance when a narrower or safer skill would be more appropriate.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrases are broad enough to match ordinary user requests about testing, coverage, and practical workflows, which can cause the skill to activate outside its intended scope. Over-broad activation increases the chance of untrusted or irrelevant instructions being injected into normal conversations, leading to prompt hijacking of routing behavior or inappropriate tool use.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The manifest description uses broad activation terms like "software-and-data," "testing," and "implementation support," which can cause the skill to activate for many ordinary engineering requests beyond unit-test coverage work. Over-broad routing increases the chance of unintended invocation, which can overshadow more appropriate skills or cause the agent to follow an irrelevant workflow.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger keywords are extremely generic, including terms like "testing," "regression," and "quality," which are common across many unrelated software tasks. This creates a routing vulnerability where the skill may be selected for broad everyday requests, reducing precision and potentially interfering with safer or more specialized skills.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The example trigger phrases use very broad natural language like "Help me" and "I need a practical workflow," which are common prefixes in normal conversations and can encourage accidental or overly permissive matching. In practice, these examples widen activation scope and make it harder to distinguish legitimate unit-test-coverage requests from general software help.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill description uses very broad trigger terms and a wide usage scope, which can cause the orchestrator to invoke this skill for many unrelated software requests. Over-broad routing is dangerous because it can misapply testing-oriented guidance in contexts where another skill should handle the task, increasing the chance of incorrect actions, prompt-surface expansion, or policy bypass through unintended skill selection.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The keyword list includes generic terms like 'testing', 'regression', and 'quality', which are common across many unrelated engineering requests. This creates ambiguous activation conditions and increases the likelihood of accidental invocation, broadening the attack surface and potentially steering users into an irrelevant or less secure workflow.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The default prompt is broad and matches generic requests about software, testing, analysis, workflows, and implementation support, which increases the chance this skill is invoked outside narrowly intended contexts. In combination with implicit invocation, this can cause unplanned routing of user queries into the skill, creating prompt-scope confusion and making downstream instruction abuse or data exposure more likely.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: Enabling implicit invocation without strict trigger boundaries allows the platform to auto-select this skill for loosely related requests. Because the skill description is already broad, this raises the risk of over-invocation, unintended handling of unrelated prompts, and increased exposure to prompt injection or context-misrouting issues.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger sentence is broad enough to match ordinary user phrasing about needing help or a workflow, which can cause the skill to activate outside its intended scope. Over-broad activation is dangerous because it may route unrelated requests into this skill, leading to inappropriate guidance, prompt hijacking opportunities through unintended invocation paths, or reduced reliability of task handling.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal