english-polish

Security checks across malware telemetry and agentic risk

Overview

This skill is a local English-polishing tool whose file reads, writes, and diff generation match its stated purpose, with some ordinary file-overwrite safety caveats.

Install only if you are comfortable with a local CLI that reads and writes your document files. Avoid pointing --output at important existing files unless you have backups, and be cautious running the diff-generating polisher on shared multi-user systems because it uses predictable /tmp filenames.

SkillSpector

By NVIDIA

Vulnerability Patterns

Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script writes polished output and reports directly to either a user-specified path or an automatically derived sibling path without checking whether the file already exists or prompting before overwrite. In a CLI tool that processes arbitrary user-supplied paths, this can cause accidental data loss or unintended modification of files, especially if run in automation or on sensitive directories.

Unvalidated Output Injection

High

Category: Output Handling
Content: with open("/tmp/polish_new.md", "w") as f: f.write(polished) result = subprocess.run( ["diff", "-u", "/tmp/polish_orig.md", "/tmp/polish_new.md"], capture_output=True, text=True,
Confidence: 91% confidence
Finding: subprocess.run( ["diff", "-u", "/tmp/polish_orig.md", "/tmp/polish_new.md"], capture_output

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal