skill-craft

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed skill-building helper whose local file creation, validation, and packaging behavior matches its stated purpose.

Install this if you want help creating or improving agent skills. Review generated files before publishing, and avoid pointing the packaging script at folders containing unrelated private files because it zips files under the selected skill directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger list includes broad terms such as "SKILL.md", "fix skill", and similar generic phrases that can match unrelated conversations. Over-broad triggering can cause the wrong skill to activate in contexts involving arbitrary file editing or agent behavior changes, which is especially risky here because the skill can lead to file creation, modification, packaging, and script execution guidance.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal