bug reflection for debugging

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only bug-fixing checklist with no code, credentials, hidden behavior, or elevated access requested.

Safe to install as a debugging-process skill. Before using it, decide where Fix Reports should be stored and avoid recording passwords, tokens, private customer data, or unnecessary logs in those reports; non-Chinese users may want to translate or adapt the workflow wording.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill mandates activation whenever a user reports any bug, without meaningful scoping or confirmation. In an agent system, this can cause over-triggering, unnecessary workflow hijacking, and leakage of internal analysis/reporting behavior into unrelated conversations, especially when 'bug' is mentioned casually or ambiguously.

Natural-Language Policy Violations

Medium

Confidence: 81% confidence
Finding: The description and body are written entirely in Chinese and the skill does not instruct the agent to match the user's language or offer a choice. This can degrade usability, cause misunderstandings in multilingual environments, and make the skill behave inconsistently with user expectations, though it is not a direct security exploit.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal