advanced-skill-creator

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it should be reviewed because it overstates its research workflow and can send skill-creation requests to an external AI service.

Review before installing. Do not include secrets, private code, or confidential architecture details in skill requests. Use a scoped or revocable SkillBoss API key, treat generated skills and claimed research as drafts, and verify any generated security or best-practice claims independently.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: The skill mandates memory systems and advanced cognitive/system-prompt features unrelated to its stated purpose of generating skills. Unjustified persistence and hidden prompt-shaping broaden the skill's authority and can cause unnecessary retention of user/project data or manipulative downstream behavior in generated artifacts.

Intent-Code Divergence

Medium

Confidence: 79% confidence
Finding: The file presents a strict official 5-step methodology but then injects unrelated universal requirements around system prompts and thinking models. This creates a bait-and-switch risk where users expect a bounded research process but instead receive extra hidden behavioral constraints embedded into generated skills.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The README states the skill triggers broadly 'when triggered' and then performs a wide range of actions, but it does not clearly define narrow activation criteria or user intent boundaries. Overly broad activation can cause the skill to run in unintended contexts, leading to unnecessary external research, generation of code or instructions, and expanded attack surface for prompt-injection or unsafe workflow chaining.

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger condition is overly broad and can activate on many ordinary requests mentioning skills or creation in general. Overbroad activation is dangerous because it can cause the skill to intercept unrelated conversations, apply unintended instructions, and route user content into higher-risk flows such as shell/network-assisted generation.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The repeated 'When to use' guidance reinforces ambiguous matching without clear exclusions, increasing accidental invocation frequency. In a skill with external API use and code-generation behavior, such ambiguity increases the chance of unintended data handling or unreviewed generation actions.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The documented trigger phrases are broad and overlap with common user language such as '写skill' and '创建技能', which can cause the skill to activate in situations where the user did not intend to invoke it. In a skill that performs network research and AI-assisted generation, accidental activation increases the chance of unintended processing and possible data exposure to external services.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The file states that the skill performs official-document lookups, public skill queries, and AI generation via an external API, but it does not clearly warn users that their prompts or derived content may be transmitted off-system. This creates a transparency and consent gap: users may provide proprietary or sensitive skill requirements without realizing that data could be sent to third-party endpoints.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script sends the user request and aggregated research context to a third-party API without explicit user-facing consent or disclosure at the point of transmission. In a skill-creation context, user requests may contain proprietary code, internal architecture details, or secrets, so silent external sharing expands the data exposure surface.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The user-supplied request is embedded verbatim into a prompt sent to an external LLM service, creating a direct data disclosure path to a third party. In this skill's context, requests for creating or modifying skills may include sensitive code, system details, credentials pasted by mistake, or proprietary workflows, making silent prompt forwarding materially risky.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal