Back to skill

Security audit

Safety Programming Checklist

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a local safety checklist, but it includes under-scoped GitHub publishing and token-handling instructions that users should review carefully.

Install only if you want a Hermes Desktop safety checklist and are comfortable ignoring or removing the GitHub publishing section unless you explicitly ask the agent to publish code. Do not place long-lived personal access tokens in Git remote URLs; prefer safer credential handling and require confirmation before any proxy, push, PR, or API action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as a mandatory local safety checklist for system-level modifications, but it also includes unrelated instructions for publishing code to GitHub through proxies and with personal access tokens embedded in remote URLs. Mixing operational guardrails with credential-handling and network exfiltration workflows expands the skill’s scope and can normalize unsafe token usage, increasing the chance of accidental secret exposure or unauthorized code publication.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The network-oriented guidance is not justified by the stated purpose of a local safety checklist and introduces instructions for proxy configuration, authenticated Git operations, and GitHub API usage. In a mandatory pre-modification skill, this creates dangerous capability creep: an agent may infer that network access and authenticated publishing are approved side effects of loading the skill, potentially exposing code or credentials beyond the user’s intent.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The skill imposes a location-specific GitHub publishing workflow tied to a blocked-network environment, without clear scoping or user opt-in. Because the skill is described as mandatory and preloaded before sensitive system changes, these publishing steps may be treated as default operational behavior, which is inappropriate and could lead to unapproved proxy use, secret handling, or code transfer.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.