Skill Distiller (Compressed)

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for compressing skill files, with modest disclosed local persistence and no evidence of hidden or harmful behavior.

Before installing, expect this skill to process skill markdown and potentially create or append local calibration/output files in the workspace. Use dry-run or review the output first if you do not want workspace changes, and avoid configuring external model providers or API keys unless you trust the environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill instructs the agent to append calibration data to `.learnings/skill-distiller/calibration.jsonl`, which is a workspace write operation. Because the skill is user-invocable and the document does not clearly warn that running it will modify local files or require explicit user consent before writing, it can cause unexpected changes to the user's repository or workspace state.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal