Security audit

Proflow

Security checks across malware telemetry and agentic risk

Overview

This workflow skill is not malicious, but it can create repository files, alter .gitignore, and modify code from broad triggers without a clear approval gate.

Install only if you want an automation skill that may write project documentation, create local state files, modify .gitignore, and change code. Prefer invoking explicit proflow subcommands, keep the project under version control, review diffs after each run, and review the required openspec and superpowers skills separately.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill clearly directs file reads and writes, status-file creation, log initialization, and .gitignore modification, but does not declare corresponding permissions. This creates a transparency and governance gap: an operator may trust the metadata while the skill performs repository mutations, increasing the risk of unintended file changes during execution.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The instruction to skip review stages and directly modify code for fixes or small features expands the skill from documentation/orchestration into autonomous code-changing behavior. Because the classification is based on loose prompt heuristics, a user request could be miscategorized and cause direct code edits without planning, review, or explicit confirmation, increasing the chance of unsafe or unauthorized changes.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The skill claims standardized document/archive outputs, but it also writes hidden state-tracking files and modifies .gitignore. Undisclosed repository mutations are security-relevant because they can conceal generated artifacts, alter repo hygiene, and make downstream auditing harder, especially when done automatically.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger conditions are broad enough that normal conversation about project workflows could invoke the skill unintentionally. In this context, accidental activation is more dangerous because the skill is designed to create files, mutate repository state, and potentially jump directly into code modification for some requests.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill omits a clear warning that it may automatically modify code and create files, despite instructing direct execution for some request classes. Lack of informed consent is especially risky here because users may expect documentation support but instead get repository and code mutations, which can damage projects or bypass normal review expectations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal