Back to skill

Security audit

AI编码异常处理控制框架

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed coding-quality workflow, but it can activate very broadly and directs agents to use network research, persistent project memory, review ledgers, and a potentially disruptive chaos-test script without enough scoping or user control.

Install only if you want this skill to govern normal coding tasks with a heavy exception-handling process. Before use, narrow activation to an explicit phrase, require confirmation before WebSearch/WebFetch or filesystem writes, keep .workbuddy memory out of sensitive repos unless intended, and treat the chaos-test script as unsafe until replaced with local/staging-only placeholders and explicit environment guards.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The document defines a `reviewer-memory.md` file as private and explicitly unreadable by the coder, creating a hidden side-channel and asymmetric access-control workflow inside a coding skill. That exceeds simple exception-handling guidance and can enable opaque decision-making, concealed instructions, or undisclosed retention of sensitive review context without user visibility.

Context-Inappropriate Capability

Low
Confidence
69% confidence
Finding
The framework instructs the skill to perform WebSearch/WebFetch as part of automatic deep research, introducing network-reaching behavior not clearly scoped by the manifest description. This can cause unanticipated external data access, privacy leakage through transmitted prompts or project details, and expansion of the skill's operational surface beyond local coding guidance.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The design introduces WebSearch and WebFetch operations even though the skill’s stated purpose is exception-handling guidance for coding workflows. Expanding scope to external network access increases attack surface, can leak task context to third parties, and enables prompt-driven data exfiltration or untrusted content ingestion without a clear necessity in the manifest.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest presents a reusable coding exception-control framework, but the design persists project memory and audit-ledger data across the filesystem under .workbuddy. This scope expansion can create unauthorized retention of sensitive development context, surprise users with persistent state, and enable cross-project data exposure if files are later read by other skills or sessions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The SOP includes a deployment-time chaos test script that stops Docker services and sends requests to a hard-coded live external URL. In an agent skill, this can cause real service disruption or encourage destructive actions against production-like environments, which exceeds safe documentation for coding guidance and creates operational and potentially unauthorized impact.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The documented trigger phrases include very common development terms such as “写代码”, “设计”, and “需求分析”, which are likely to appear in ordinary conversations and can cause unintended automatic skill activation. In an agentic environment, unexpected activation can inject constraints, workflow steps, or side effects into unrelated tasks, reducing user control and potentially altering downstream behavior without explicit consent.

Vague Triggers

High
Confidence
94% confidence
Finding
The skill declares trigger phrases such as '写代码', '设计', '测试', and '代码审查' that are extremely broad and likely to match a large portion of normal software-development conversations. Overbroad activation increases the chance that this skill will be invoked outside its intended scope, injecting heavy process instructions, mandatory tool use, and workflow constraints into unrelated tasks, which can override user intent or cause unsafe operational side effects in environments where tools are available.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Claiming applicability to any language, framework, and platform without defining constraints encourages universal application of the skill's prescriptive workflow, even where its assumptions do not fit the environment. This raises the risk of inappropriate activation, poor tool choices, and context-insensitive instructions that can disrupt workflows or lead the agent to perform unnecessary external actions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger example activates on very broad, common requests such as writing code, designing, testing, reviewing, or refactoring, making unintended invocation likely. Overbroad triggering can force invasive workflow changes, unexpected file creation, network research, or review-state machinery in ordinary conversations where the user did not request this framework.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad terms like writing code, design, or requirement analysis, which are likely to match ordinary conversation and activate the skill unexpectedly. Overbroad triggering is dangerous here because the skill is designed to execute multi-step workflows and write artifacts, so accidental activation can cause unintended file operations and process hijacking.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The design creates directories and writes files under .workbuddy but does not clearly require a user-facing warning or confirmation before modifying the filesystem. Silent persistence is risky because users may not realize artifacts are being created, sensitive content may be stored unexpectedly, and repeated invocations can accumulate durable state.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill’s documented trigger covers very common software-development phrases such as writing code, design, testing, and code review, which makes accidental or excessive activation likely. In an agent environment, this can cause the skill to intercept unrelated requests and impose broad workflow control, increasing the chance of unintended file creation, process hijacking, or disruption of other specialist skills.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The acceptance criteria say the skill is invoked when the AI is asked to implement a feature, but they do not define precise boundaries for when invocation is mandatory versus optional. That ambiguity is risky because broad activation logic can be interpreted inconsistently by the agent runtime, leading to overreach into normal conversations or conflicting behavior with other coding and review skills.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.