skill-optimizer

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only SKILL.md optimizer, but its very broad high-priority auto-trigger rules could cause an assistant to enter optimization mode when the user did not clearly ask for it.

Install only if you want a proactive SKILL.md optimizer. Before using it, narrow or disable the generic auto-triggers, remove high-priority override behavior, require explicit user confirmation before analysis or rewriting, and avoid mutable remote install URLs unless you verify or pin the exact version.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The document defines conflicting trigger behavior: it says the skill should be proactively called when triggers are detected, yet later says some trigger classes require confirmation first. This inconsistency can cause unsafe or unpredictable activation behavior, especially in systems that prioritize one rule over another and invoke the skill without the intended user consent.

Vague Triggers

High

Confidence: 97% confidence
Finding: The trigger keyword list is overly broad and includes common words like '检查', '提升', '升级', 'skill', 'agent', and '技能', which can appear in many unrelated conversations. This creates a high risk of accidental activation, causing the agent to invoke optimization behavior outside the user's actual intent and potentially override the expected task flow.

Vague Triggers

High

Confidence: 96% confidence
Finding: The automatic invocation rules are broad and ambiguous: mentioning generic terms like 'skill' or detecting a recent file change can trigger the skill, and the section states activation may occur without user confirmation. In a multi-skill agent environment, this can lead to unsolicited tool use, task hijacking, and interference with user-directed workflows.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The examples normalize proactive triggering from vague statements such as a skill '效果不好' or from comparison requests, which do not necessarily mean the user wants optimization performed. This trains or guides the system toward intent overreach, increasing false activations and unauthorized workflow branching.

Vague Triggers

High

Confidence: 95% confidence
Finding: The documented trigger list is extremely broad, including generic words like 'check', 'skill', and 'agent', and the README explicitly enables 'auto-trigger: true' with high priority. In an agent environment, this can cause unintended activation during ordinary conversation or while processing unrelated content, leading the skill to intervene, rewrite files, or steer workflow without clear user intent.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The usage examples encourage invocation from vague natural-language requests like 'Improve this SKILL.md file' or 'Check this agent's quality' without clear boundaries on which file, skill, or object should be modified. In a multi-file or multi-agent workspace, ambiguity increases the chance of operating on the wrong artifact or taking optimization actions the user did not specifically authorize.

Vague Triggers

High

Confidence: 96% confidence
Finding: The documented trigger set includes highly generic terms such as “检查”, “skill”, “技能”, and “agent”, and also enables `auto-trigger: true` with high priority. In an agent environment, this can cause the skill to activate in many unrelated conversations or on ordinary file changes, increasing the chance of unwanted instruction interception, workflow hijacking, or accidental modification of other skills.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The example invocation phrases are broad and loosely scoped, such as requests to “改进这个 SKILL.md 文件” or “检查一下这个 agent 的质量,” without requiring explicit confirmation of target files, permissions, or operation boundaries. This makes accidental invocation more likely and can cause the skill to act on ambiguous user intent or the wrong resource.

Vague Triggers

High

Confidence: 96% confidence
Finding: The auto-trigger metadata includes very broad triggers such as “skill”, “技能”, and “agent”, which are common terms in normal conversation. This can cause unintended activation and priority takeover of unrelated tasks, creating prompt-scope abuse and reducing user control over when the skill runs.

Vague Triggers

High

Confidence: 98% confidence
Finding: The invocation rules direct the skill to activate on generic mentions of skill-related terms and even assign high priority that can override general tasks. In context, this makes the skill prone to hijacking conversations and steering workflows without clear user intent, which is dangerous for an agentic system handling diverse requests.

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal