Agent Harness

Security checks across malware telemetry and agentic risk

Overview

This markdown-only workflow skill is not malicious, but it can activate very broadly, spawn sub-agents, and save full sub-agent outputs to local files without clear consent or retention guidance.

Install only if you intentionally want a broad workflow framework that may take over common planning, research, review, and analysis prompts. For sensitive work, require explicit confirmation before spawning sub-agents or saving reports, and review or delete any files created under subagent_reports.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The workflow explicitly recommends that sub-agents write complete outputs to files in the user workspace as a general solution to truncation, even though the skill is described as a thinking/workflow framework rather than a file-persistence feature. This creates an unjustified data sink for potentially sensitive prompts, results, or derived content, and normalizes persistent storage without clear scope limits, consent gates, or retention controls.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The workflow expands a coordination/planning skill into persistent file-writing in the user's workspace, which changes the security boundary from ephemeral reasoning to durable data storage. That can cause unintended retention of sensitive prompts, model outputs, secrets, or user data, especially because the guidance presents file writing as the recommended default solution rather than an explicitly consented option.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The documentation recommends writing full sub-agent outputs to workspace files without showing a strong necessity tied to the skill's stated orchestration purpose. This creates an unnecessary persistence mechanism that can be abused to leave behind sensitive artifacts, increase data exposure, and broaden the effects of prompt injection or unsafe downstream tasks.

Vague Triggers

High

Confidence: 97% confidence
Finding: The skill registers extremely broad trigger words such as 'plan', 'think', 'review', 'analyze', and 'summary', which are likely to match many ordinary user requests unrelated to this skill. That increases the chance of unintended activation, causing this workflow skill to intercept or influence general reasoning behavior across unrelated tasks and potentially override more appropriate, narrowly scoped skills.

Vague Triggers

High

Confidence: 97% confidence
Finding: The trigger list is extremely broad and includes commonplace words like "plan," "think," "review," "analyze," and "summary," which can cause the skill to activate for a wide range of normal user requests. In an agent framework skill, overbroad activation is dangerous because it can silently override default behavior, pull in additional instructions, and steer task handling even when the user did not explicitly request this skill.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger is a generic natural-language phrase for common cognition tasks (for example, 'research', 'plan', 'analyze', 'review') and lacks clear scoping, permission boundaries, or contextual activation constraints. In an agent framework, this can cause the skill to activate unintentionally across many unrelated prompts, increasing the chance that its workflow overrides safer task-specific behavior, performs unnecessary tool use, or processes sensitive context under the wrong procedure.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list includes very common terms such as "analyze," "plan," "review," "summary," and "process," which are likely to appear in ordinary user requests unrelated to this skill. That makes unintended invocation plausible, causing the agent to enter a multi-agent decomposition and parallel-execution workflow when the user did not explicitly request it, which can expand scope, increase tool use, and create opportunities for context leakage across sub-tasks.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The markdown instructs sub-agents to save complete output files under a user workspace path and even frames this as the recommended engineering solution, but it provides no user-facing warning that sensitive task content may be persisted to disk. In a multi-agent workflow skill, sub-agents may process research, plans, summaries, or proprietary data, so silent file writes increase the risk of privacy leakage, unintended retention, and exposure to other local tools or users.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The markdown instructs sub-agents to save complete outputs to the user's workspace and even provides path conventions, but it does not require an explicit warning or consent regarding privacy, retention, or data persistence. In a multi-agent context, complete outputs may contain aggregated sensitive material from several tasks, making silent durable storage more dangerous than ordinary transient responses.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal