Ai Agent Helper Moss

Security checks across malware telemetry and agentic risk

Overview

This is a simple prompt-engineering helper with no executable code or system access, though users should verify the package identity metadata before installing.

This skill appears safe to install as a prompt-writing aid. Before installing, confirm that the publisher, slug, and version are the package you intended, because the embedded metadata does not fully match the registry/frontmatter context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The usage section lists invocation examples like "帮我整prompt", "點樣set AI agent", and "優化agent response" without defining whether these are exact triggers, examples only, or what contexts should not activate the skill. These phrases are broad enough to overlap with ordinary conversation about AI assistance, which could cause unintended invocation.

Natural-Language Policy Violations

Low

Confidence: 84% confidence
Finding: The skill description is written in Cantonese/Chinese and presents the skill as operating in that language, but there is no indication that users may choose another language or locale. Under the stated policy, forcing a specific language without opt-in can be a natural-language policy concern.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal