demo-skill

Security checks across malware telemetry and agentic risk

Overview

This is a low-risk document-writing helper, with the main caveat that it may create a local Markdown file if it thinks the user wants one saved.

Install this if you want help drafting structured Markdown documents. When using it, state whether you want only a chat response or a saved file, and provide an exact filename or path when saving matters.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger description is very broad and explicitly says to use the skill whenever the user asks for many common documentation tasks, including vague requests like "help me write a doc" or "create a report." In an agentic system, this can cause unintended activation and override more specific or safer skills, increasing the chance of misrouting user requests and performing actions the user did not clearly intend.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to write a `.md` file to disk in the current directory based only on the user 'seeming' to want a saved file, without requiring explicit confirmation. This creates an unsafe side effect: unintended local file creation or overwrite, which is especially risky in automated environments or shared workspaces.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal