Back to skill

Security audit

Rule Spec

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is coherent for managing business-rule specs, with disclosed external CLI use and only scoping caveats.

Install this if you want help managing rulespec.yaml business rules. Review generated SKILL.md files before loading them into an agent, avoid putting sensitive examples into rule files unless necessary, and verify the external rulespec npm package before running npx commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill advertises very broad activation phrases such as generic requests to add policies, constraints, guardrails, or business rules. That can cause over-triggering in unrelated conversations and route sensitive policy or prompt-shaping tasks into this skill unexpectedly, increasing the chance of unintended prompt injection into downstream agent behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.