多 Agent 项目协作工厂

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed project-template generator for multi-agent workflows, with no evidence of hidden data access, network activity, credential use, or persistence.

Install only if you want a skill that creates a local project scaffold and guides agent-based project generation. Run the generator from the directory where you want the new project, choose a fresh project name, and review PROJECT_CONFIG.yaml before asking agents to implement code.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill advertises project generation and produces files/directories, yet the metadata shown does not declare corresponding permissions or warn about write-capable behavior. In an agent ecosystem, hidden file-write capability weakens user consent and platform enforcement, making unintended workspace modification more likely.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The markdown presents automatic project generation, code writing, and creation of a full directory structure as normal behavior without an explicit warning that files will be written to disk. Users may invoke the skill expecting advisory output only, while the agent performs state-changing actions in the filesystem, which can overwrite files or create unexpected artifacts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal