Local Find Skills

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill helps users find and optionally install other skills, with its registry use and install behavior disclosed.

Use this skill when you actually want help finding or installing skills. Before approving any install, review the registry source, skill name, version, publisher, and risk signals, especially when results come from third-party registries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The workflow says 'When a user asks for help with something, identify' and then proceed to search for skills, which broadens activation beyond explicit skill-discovery intents. In a highest-priority skill, this can misroute ordinary help requests into external package discovery and possible installation flows, increasing the chance of inappropriate tool use or supply-chain exposure without clear user intent.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The skill hard-codes locale-based routing for Chinese users/CN networks to prefer specific registries before any user choice. This creates unequal routing behavior based on language or network environment and may direct users toward different trust, privacy, or compliance regimes without informed consent, especially when searching for or installing third-party skills.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal