Skill Security Scanner

Security checks across malware telemetry and agentic risk

Overview

This is a low-risk Markdown-only security review helper, though its README overstates some coverage compared with the actual skill instructions.

Reasonable to install as a first-pass review helper. Do not treat it as a complete security audit: rely on the three checks described in SKILL.md, and expect URL scans to fetch remote skill content.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The README presents inconsistent scope: the metadata says the skill audits three common patterns, while the body claims a seven-category audit with broader capabilities. This can mislead users about what the skill actually evaluates and create false assurance or confusion during security review.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The documented behavior exceeds the stated limited scope by claiming additional audit categories and multiple input methods. In a security tool, overstating coverage is risky because users may rely on checks that are not actually implemented, leading to unsafe installation decisions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal