Content Writer - MCB AI

Security checks across malware telemetry and agentic risk

Overview

This is a Markdown-only social media writing skill with no executable code, credential access, persistence, or automatic posting behavior.

Reasonable to install for drafting MCB AI-style social posts. Specify platform and language explicitly, review generated posts before publishing, and avoid providing private or sensitive source material unless you are comfortable turning it into public-facing copy.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The example invocation is broad enough that ordinary user requests to 'write' or transform content could unintentionally trigger this skill. In an agentic environment, overly permissive activation can cause the skill to engage on unrelated inputs, increasing the chance of prompt-routing mistakes and unintended processing of sensitive or adversarial content.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: Claiming the skill can generate posts from 'any source article' without clear boundaries encourages indiscriminate use across arbitrary input material. This broad scope can make the routing layer over-select the skill and may expose it to untrusted content or contexts it was not designed to handle safely.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The top-level description says to use this skill whenever the user wants to write a post or generate content from source material, which is broad enough to trigger on many ordinary writing requests without clear boundaries. Over-broad routing can cause unintended activation, increasing the chance that unrelated user content is pulled into this skill's workflow and that platform/brand-specific instructions override the user's actual intent.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The 'When to Use' section includes vague triggers like 'write a post' and 'tạo content' from any source material, without constraints on platform, output type, or user confirmation. In an agent setting, ambiguous trigger phrases can misroute requests into this skill and cause the system to apply hidden formatting, branding, or content-shaping rules the user did not ask for.

Natural-Language Policy Violations

Medium

Confidence: 92% confidence
Finding: Defaulting language to Vietnamese without explicit user choice can produce output in the wrong language and violate user-expectation or product policy constraints, especially in multilingual environments. Because language affects both content meaning and downstream publishing, an implicit default can lead to incorrect or unsuitable outputs being generated or posted.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal