office-hours

Security checks across malware telemetry and agentic risk

Overview

This is a planning-only skill that asks product-discovery questions and produces a design document, with no executable code or hidden data access.

Install this if you want a strongly opinionated product-discovery workflow before implementation. Expect it to challenge assumptions and focus on planning, mostly in Chinese; it should not need credentials, command execution, network access, or persistent permissions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrases are very broad and overlap with common ideation, planning, and brainstorming requests, which can cause the skill to activate in many unrelated contexts. This creates routing/invocation risk: users may be steered into a rigid design-doc workflow when they did not ask for it, potentially degrading task fidelity and suppressing more appropriate skills.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The instruction to proactively suggest this skill before any coding is overly expansive and can override normal task routing even when the user is already asking for implementation help. In practice, this can bias the agent toward unsolicited redirection, causing denial of expected assistance and broadening the skill's effective control surface beyond its intended niche.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal