Work Productivity Weather Current Workflow Helper

Security checks across malware telemetry and agentic risk

Overview

This is a low-capability workflow-helper skill with overly broad activation wording but no executable code, persistence, credential use, or hidden data movement.

Install only if you want a broad helper for weather-style workflow and skill-maintenance tasks. Be aware it may be invoked more often than intended because of generic trigger terms; explicit invocation by skill name is preferable when using it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are extremely broad and include common natural-language requests such as 'Help me' and 'I need a practical workflow,' which can cause the skill to activate in unrelated conversations. In an agent environment, this can lead to unintended invocation, prompt-routing errors, and execution of the wrong workflow based on ambiguous everyday speech.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrases are broad enough to match common user requests such as general help with workflows, weather, APIs, or bug fixes, which can cause the skill to activate outside its intended scope. In an agent ecosystem, overbroad invocation increases the chance of unintended routing, prompt interference, and unsafe application of this skill in contexts where it is not appropriate.

Vague Triggers

High

Confidence: 95% confidence
Finding: The skill description uses extremely broad activation terms like 'work-productivity,' 'api,' 'analysis,' and 'implementation support,' which can match many unrelated user requests. This creates an overbroad routing surface where the skill may activate outside its intended scope, increasing the chance that users receive irrelevant or unsafe workflow guidance without explicitly opting into this skill.

Vague Triggers

High

Confidence: 97% confidence
Finding: The trigger keyword list contains highly generic words such as 'api,' 'key,' 'required,' 'users,' and 'bug fix' that are common across many normal conversations. Such ambiguous triggers can cause unintended activation or skill shadowing, where this skill intercepts requests meant for other, more appropriate skills.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The example trigger sentences are built from ordinary help-seeking language like 'Help me' and 'I need a practical workflow,' which are common in benign user requests. Even though the examples include some domain text, their phrasing reinforces overly permissive activation patterns and may normalize triggering on everyday requests that lack clear weather-workflow intent.

Vague Triggers

High

Confidence: 96% confidence
Finding: The trigger keyword list includes very broad and high-frequency terms such as "weather", "current", "api", "key", "required", and "users", which can match many unrelated requests. This creates an overbroad activation surface, causing the skill to be invoked outside its intended context and potentially override more appropriate skills or inject irrelevant workflow guidance into unrelated tasks.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The sample trigger phrases are highly generic (for example, "Help me" and "I need a practical workflow for" followed by broad text), which encourages matching on ordinary conversational patterns rather than a clearly bounded skill domain. In systems that learn or derive routing behavior from examples, this can increase accidental invocation and reduce routing precision.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The default prompt contains a very broad activation phrase tied to common concepts like work productivity, weather, current, forecasts, API, workflow, checklist, and analysis. Combined with allow_implicit_invocation=true, this increases the chance the skill is invoked unintentionally during ordinary user conversation, causing prompt-context injection into unrelated tasks and unexpected behavior.

Vague Triggers

High

Confidence: 96% confidence
Finding: The trigger sentences are broad enough to match ordinary user requests containing common terms like "help me," "practical workflow," or the listed keywords, which can cause the skill to activate outside its intended scope. In an agent environment, overbroad activation can route unrelated tasks through this skill, leading to incorrect handling, prompt-context pollution, or unintended execution paths based on irrelevant requirement text.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal