Back to skill

Security audit

ProjectManager

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a disclosed ProjectManager integration with one broad trigger instruction, but no evidence of hidden, destructive, or deceptive behavior.

Before installing, understand that the skill may be invoked broadly for ProjectManager-related prompts. Use it when you intend ProjectManager data retrieval or workflow help, and review any external actions before allowing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The instruction to use this skill for "ANY ProjectManager request" creates an overly broad activation scope that can cause the agent to invoke the skill whenever ProjectManager is merely mentioned, even if the user did not intend tool use. This increases the chance of unnecessary external data access, accidental execution, and bypass of more context-appropriate handling, especially because the skill is positioned as a mandatory path instead of a constrained option.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.