L

Security checks across malware telemetry and agentic risk

Overview

This is a simple listing-command reference, but its one-letter trigger and broad system-info examples could expose sensitive local details unintentionally.

Install only if you intentionally want a broad local system-listing shortcut. Avoid using the environment-variable, process, network, route, or firewall examples in sensitive workspaces unless you first filter or redact secrets, and be aware that the one-letter trigger may be invoked more easily than a clearer multi-word skill name.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger is a single letter, "l", which is extremely broad and likely to collide with normal user text, variable names, commands, or multilingual content. In an agent setting, this can cause accidental invocation of the skill and unintended execution of reconnaissance-style commands such as listing files, processes, or network state.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The description says the skill should be used whenever the agent needs to see what is present in a directory or system state, which is overly broad and lacks clear boundaries. This makes it easier for the agent to overuse the skill for general reconnaissance, increasing the chance of exposing sensitive filesystem, process, package, environment, or network information beyond the user's intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal