Security audit

Factory Floor

Security checks across malware telemetry and agentic risk

Overview

Factory Floor is mostly a coherent startup-coaching skill, but its installer runs an additional npm dependency install without a clear opt-in or lockfile, so users should review it before installing.

Install only if you are comfortable with the package writing to your agent skills directory and running npm to fetch renderer dependencies. A safer publisher posture would make the diagram dependency optional or explicit, use a lockfile or exact dependency pinning, and warn before running package installation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The installer invokes `npm install --silent` in a copied `scripts` directory, which executes an external dependency installation step not required for a simple startup-coaching skill's core text content. Running npm can execute lifecycle scripts from dependencies and introduces supply-chain and code-execution risk on the user's machine during installation.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The README explicitly says the skill 'triggers automatically' for broad startup-related topics like priorities, bottlenecks, what to build, or flat growth. Those are common conversational phrases, so the activation scope is overly broad and may cause the skill to engage when the user did not intentionally request it, increasing the chance of irrelevant instruction injection into unrelated conversations.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: Telling users they can 'just describe your problem and it will activate implicitly' encourages activation from vague, natural-language input with no clear consent boundary. This makes accidental invocation more likely and can cause the skill's instructions or behavior to be injected into conversations where the user intended general discussion rather than startup-coaching guidance.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger description includes several common phrases such as "we're stuck," "I don't know what to do next," and "what should we focus on" that can appear in many non-startup conversations. This can cause the skill to activate outside its intended scope, leading to unintended routing, disclosure of irrelevant guidance, and interference with more appropriate skills or system behavior.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The installer creates directories and copies files into `~/.claude/skills/factory-floor` without first presenting a clear warning or obtaining confirmation. While the destination is expected for a skill installer, silent filesystem modification reduces user awareness and makes it easier to disguise unexpected content placement or overwrite behavior.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script runs a subprocess for `npm install` with no user-facing safety notice that package installation and potential script execution will occur in the target directory. This is dangerous because users may believe they are only copying skill files, while the installer is also executing package-manager behavior that can run arbitrary code via dependencies.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal