Back to skill

Security audit

Guardian Angel

Security checks across malware telemetry and agentic risk

Overview

Guardian Angel appears defensive and openly ethics-focused, but it takes broad control over tool execution and stores sensitive approval data with weak safeguards.

Install only if you explicitly want a Thomistic/Catholic ethics gate to influence agent actions. Review the plugin configuration, keep the approval timeout short, avoid approving actions from shared transcripts, and assume pending approval files may temporarily contain sensitive tool parameters. Do not rely on this plugin as your only protection against destructive commands or malicious plugins.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (24)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The specification claims startup diagnostics will detect override-capable hooks, but the described implementation performs no actual registry inspection and only logs a generic limitation message. This creates a false sense of security: operators may believe the plugin can detect later-running hooks that bypass Guardian Angel when it currently cannot.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The comments and rationale state that priority -10000 makes Guardian Angel run last, but the diagnostics section admits lower-priority hooks could still execute later and override its decisions. This inconsistency can mislead deployers into overtrusting the enforcement boundary, weakening defense against malicious or conflicting plugins.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The draft introduces comprehensive logging of all actions plus a learning loop that promotes frequently seen patterns into a whitelist. For a moral-evaluation skill, this expands data collection beyond the minimum necessary and creates function creep: user requests and behavioral patterns may be retained and repurposed without clear limits or consent.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This section mandates logging every action, normalized patterns, gate outcomes, and detailed Gate 3 affected-party analysis. That can capture sensitive personal data, relationship information, inferred vulnerabilities, and moral judgments in plain language, creating a high-value privacy and leakage target unrelated to the core act of real-time ethical filtering.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The nonce store persists full blocked-action parameters to disk, which may include secrets, personal data, credentials, commands, or message content. Because this is a security plugin operating on sensitive tool calls, persisting raw parameters increases confidentiality risk and may create a durable forensic target beyond user expectations.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The design displays approval nonces in agent-visible text and provides no guidance that they are security-sensitive approval references. In shared logs, transcripts, or multi-agent contexts, exposed nonces could be reused within their validity window to approve a blocked action without the intended user's informed consent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger conditions are broad enough to activate on nearly any action-taking interaction, causing the skill to become a pervasive gatekeeper over ordinary agent behavior. In this context, that increases the chance of overreach, unnecessary interception of user requests, and moral-policy enforcement in situations where the user did not explicitly request this framework.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The skill hard-codes evaluation against Catholic moral teaching as the governing decision framework without user consent or alternative policy modes. That creates a policy-injection risk where the agent's behavior can be silently redirected by a sectarian normative system, potentially overriding user autonomy, platform policy, or organizational requirements.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger activates on very broad conditions such as 'taking any action on the user's behalf' and 'making decisions with moral weight,' which can cover routine assistant behavior and cause the skill to intervene unexpectedly. In a multi-skill or tool-using agent, this can override normal workflows, introduce unnecessary gating, and create denial-of-service style friction or policy conflicts across ordinary interactions.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The skill hard-codes a specific Catholic/Thomistic moral framework as the decision authority for agent actions without indicating that this is optional or user-selected. That creates a values-alignment vulnerability: the agent may deny, alter, or escalate user requests based on sectarian doctrine rather than the user's preferences, platform policy, or jurisdictional requirements, especially when the skill says it should run before taking actions on the user's behalf.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill hard-codes a specific religious-moral framework as the governing decision layer without any user opt-in, alternative policy mode, or disclosure that it may override user preferences. In an agent context, this creates a governance and alignment risk: users may unknowingly delegate decisions to a hidden normative system that can block, redirect, or reshape actions based on sectarian values rather than the principal's stated policy.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes comprehensive logging and retrospective analysis without any accompanying user-facing warning, consent flow, or privacy notice. Silent collection of all actions and pattern history increases the risk that users disclose sensitive information believing the skill is only performing ephemeral moral review.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The logging section specifies detailed capture of action descriptions and moral-analysis artifacts but provides no prominent warning that such data may include sensitive personal, relational, or reputational information. This omission undermines informed consent and increases the chance of over-collection and accidental disclosure.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The file explicitly frames decision-making in a Catholic/Thomistic moral system as the default basis for elevated scrutiny, without any indication in this file that the user opted into that worldview. In an agent skill, this can silently steer outputs, approvals, refusals, and prioritization in ways that do not match the user's intent, creating policy manipulation and biased behavior rather than neutral assistance.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
Across the file, normative instructions repeatedly require Catholic/Thomistic judgments such as treating deception as intrinsically evil, elevating spiritual matters, and applying religiously grounded standards to legal, medical, financial, and interpersonal domains. Because these are operational instructions for agent behavior, an unannounced worldview-specific policy can systematically alter tool use, recommendations, and escalation paths, especially in sensitive domains.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This file gives normative decision guidance for high-stakes scenarios involving self-defense, bombing, end-of-life medication, obstetric emergencies, and deception, but it does not clearly warn readers that it is theological/moral analysis rather than legal, medical, safety, or operational advice. In an agent skill, that omission is risky because the model may operationalize these examples as action-permitting guidance in real-world situations, especially where harm to persons could result.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The rubric explicitly invokes Thomistic moral analysis and cites Catholic doctrine as a required escalation framework, which imposes a specific religious worldview on agent behavior without any visible user opt-in or configurability in this file. In a general-purpose agent skill, this can override user autonomy, distort neutral task handling, and cause inconsistent or discriminatory decisions for users who did not consent to faith-based governance.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
This section presents a specific Thomistic/Catholic moral framework as categorically authoritative using universal language such as 'always and everywhere wrong' and 'one must follow one's conscience' without scoping it to users who explicitly opted into that framework. In a skill intended to guide agent behavior, that can cause the agent to impose sectarian moral judgments, override user autonomy, and mishandle legitimate requests in pluralistic or regulated contexts.

Ssd 3

Medium
Confidence
92% confidence
Finding
Comprehensive logging of every action for later learning can retain raw user prompts and sensitive context in plain language, increasing the risk of data leakage, insider misuse, or secondary processing. Because the skill is positioned as a conscience layer, users may reveal intimate details that become unnecessarily durable records.

Ssd 3

Medium
Confidence
97% confidence
Finding
The detailed logging instructions create a broad retention surface for sensitive information, including identities, relationships, consent status, vulnerability assessments, and moral reasoning. If compromised or misused, these logs could expose highly personal data about users and third parties far beyond operational necessity.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
### Response Details

**Low (1-15)**: 
- Proceed without asking
- Log: action, score, one-line rationale
- No special notification needed
Confidence
97% confidence
Finding
without asking

Tool Parameter Abuse

High
Category
Tool Misuse
Content
const lowerCmd = cmd.toLowerCase();
    
    // Catastrophically destructive commands
    if (lowerCmd.includes("rm -rf /") && !lowerCmd.includes("rm -rf /tmp")) {
      return "Command would destroy root filesystem";
    }
    if (lowerCmd.includes(":(){ :|:& };:")) {
Confidence
94% confidence
Finding
rm -rf /") && !lowerCmd.includes("rm -rf /

Tool Parameter Abuse

High
Category
Tool Misuse
Content
const lowerCmd = cmd.toLowerCase();
    
    // Catastrophically destructive commands
    if (lowerCmd.includes("rm -rf /") && !lowerCmd.includes("rm -rf /tmp")) {
      return "Command would destroy root filesystem";
    }
    if (lowerCmd.includes(":(){ :|:& };:")) {
Confidence
94% confidence
Finding
rm -rf /"

Tool Parameter Abuse

High
Category
Tool Misuse
Content
const lowerCmd = cmd.toLowerCase();
    
    // Catastrophically destructive commands
    if (lowerCmd.includes("rm -rf /") && !lowerCmd.includes("rm -rf /tmp")) {
      return "Command would destroy root filesystem";
    }
    if (lowerCmd.includes(":(){ :|:& };:")) {
Confidence
94% confidence
Finding
rm -rf /

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
references/prompt-injection-defense.md:62

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:411