Skill Matrix Publisher Free

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate multi-platform publishing helper, but it asks agents to persist sensitive credentials and automatically retry content rewrites in ways users should review carefully.

Install only if you are comfortable giving it publishing authority across the listed platforms. Use revocable, least-privilege tokens, avoid giving raw passwords where possible, do not let it store secrets in config.json unless you explicitly accept that risk, and review diffs before any rewritten content is republished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill explicitly instructs the agent to permanently store highly sensitive credentials, including passwords, tokens, phone numbers, and API keys, in config.json on first receipt. That exceeds the minimum data needed for a publishing workflow and creates a durable local secret store without any consent, encryption, retention limit, or least-privilege controls.

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: The workflow authorizes automatic rewriting of user content after rejection while only stating that brand text must remain untouched, without any enforceable mechanism or integrity check. This can lead to unintended modification of protected text, user-authored meaning, or compliance-relevant content during automated retries.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The document gives conflicting authentication requirements for 虾友SkillHub, first describing three mandatory factors and later saying only phone+password are needed. Contradictory security instructions are dangerous because they can cause the agent to collect more secrets than necessary or use the wrong trust model for publication actions.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill directs silent local storage of sensitive credentials without a user-facing warning about privacy, persistence, or compromise risk. Users may disclose passwords and tokens believing they are used transiently, while the agent is instructed to retain them indefinitely for future use.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill says it will automatically rewrite rejected content and republish it up to three times, but it does not clearly warn users that their authored content may be altered. This undermines informed consent and can cause publication of changed text the user did not intend to submit.

Ssd 3

High

Confidence: 99% confidence
Finding: The instructions require immediate permanent storage of any provided credentials and explicitly forbid waiting for reminders or asking again. This is a direct secret-handling anti-pattern that increases exposure, persistence, and blast radius if the host, logs, or files are later accessed.

Ssd 3

High

Confidence: 97% confidence
Finding: The document includes concrete examples of already stored account identifiers and partially shown secrets across multiple services. Even if truncated, this normalizes secret disclosure, may expose real identifiers, and encourages the agent to treat credential inventory as ordinary content.

Ssd 2

Medium

Confidence: 95% confidence
Finding: The content instructs the agent to rewrite rejected material into semantically equivalent expressions specifically to pass platform review. That is effectively guidance for bypassing moderation controls rather than legitimately correcting content, and it can enable prohibited material to be repackaged and resubmitted.

Ssd 2

Medium

Confidence: 96% confidence
Finding: The example substitutions provide euphemisms for flagged terms while preserving the original intent, which is a classic moderation-bypass pattern. This makes the skill more dangerous because it operationalizes how to evade keyword-based review rather than promoting compliant rewriting under user control.

Ssd 4

Medium

Confidence: 95% confidence
Finding: The workflow explicitly describes iterative identification of trigger words, rewriting, and repeated submission until accepted. This is dangerous because it automates persistence against safety review systems and can scale evasion across multiple platforms.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal