Back to skill

Security audit

Jenkins Plugin Skeleton Generator Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a Jenkins plugin scaffold generator with disclosed, purpose-aligned behavior and no evidence of hidden data access or unsafe execution.

Install if you want an agent to help generate Jenkins plugin skeletons. Be aware it may activate on broad Jenkins plugin development requests, so specify when you want only advice or code review rather than full project scaffolding.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are very broad and closely match ordinary user requests for help creating a Jenkins plugin, without any clear invocation delimiter, confirmation step, or exclusion criteria. In an agent environment, this can cause the skill to activate unexpectedly and steer the model into generating project scaffolding when the user may have intended a narrower coding, review, or advisory task, creating scope hijack and instruction-interference risk.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation conditions are broad enough to trigger on generic requests about creating or developing Jenkins plugins, which can cause the skill to activate when the user did not intend to use this specific scaffold generator. In a multi-skill agent, this increases the chance of incorrect routing, unnecessary collection of project details, or generation of misleading build instructions in contexts where a different skill or a narrower workflow should have been used.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.