Masterclass Builder

Security checks across malware telemetry and agentic risk

Overview

This tutoring skill stores course lessons and progress locally, which matches its stated purpose and shows no hidden or harmful behavior.

Install if you are comfortable with the skill creating and updating local course files under masterclasses/. Avoid putting secrets or highly sensitive personal details in homework notes, and review any scheduled-delivery cron command before adding it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill advertises broad natural-language triggers such as 'teach me [topic]' and 'I want to learn [topic]' at the metadata level, which increases the chance of accidental invocation during ordinary conversation. Because the skill performs stateful file writes and lesson-generation workflows once activated, unintended triggering could create or modify user workspace data without clear user intent.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger table includes ambiguous phrases like 'next lesson', 'my courses', 'course progress', and 'resume [topic]' without requiring that the conversation already be inside this skill's context. These are common phrases that may appear in unrelated chats, so the skill could incorrectly activate and read or update course state, causing unintended actions and confusing cross-skill behavior.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal