Back to skill

Security audit

Skill Debloater

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent skill-cleanup helper that inspects and refactors target skill directories, with deletion gated on user confirmation and backups.

Install this if you want an agent to help refactor local skill directories. Review the target path before running it, expect it to read files inside that skill, and only approve deletions you are comfortable removing after confirming a backup exists.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill advertises activation on broad phrases like 'clean up old versions,' 'too long/verbose,' or 'flaky,' which are common in normal conversation and could cause the skill to be invoked when the user did not intend a filesystem-modifying refactor workflow. Because the skill then instructs the agent to run local scripts, inspect directories, create backups, and potentially delete user-confirmed files, accidental invocation expands the chance of unnecessary file access and disruptive changes.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.