Back to skill

Security audit

Bom Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a BOM spreadsheet helper whose requested file processing is consistent with its stated purpose and does not show hidden, persistent, or unsafe behavior.

Before installing, treat this as a spreadsheet-processing aid for BOM files and provide only the BOM documents needed for the specific compare, split, merge, or report task. The trigger wording could be clearer, so users should state the desired operation and input files explicitly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description and activation guidance are broad enough that the agent may invoke this skill for generic BOM-related requests without clear user intent or task boundaries. Over-broad triggering can cause unintended file processing, incorrect workflow selection, or unnecessary access to BOM documents, especially when multiple skills overlap on spreadsheet or procurement tasks.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example phrases in the usage table are ambiguous short commands like '对比BOM' and '合并BOM' that lack scoping, input requirements, or disambiguation from adjacent tasks. In an agent environment, such phrases increase the chance of accidental or premature activation, leading to misrouting, incorrect transformations, or processing of the wrong files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.