Back to skill

Security audit

Adaptive Suite

Security checks across malware telemetry and agentic risk

Overview

This skill is not visibly malicious, but it asks for broad tool access, a third-party API key, and NAS metadata scanning without clear limits.

Review before installing. Use this only with narrow, user-approved NAS paths, avoid scanning sensitive shares, and confirm whether project context or metadata is sent to SkillBoss or downstream providers. Use a scoped API key if possible and avoid granting this skill broad filesystem or network authority by default.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill metadata describes a very broad, multi-domain capability set without clear boundaries, making it likely to be invoked in contexts far beyond a narrowly intended use case. This increases the chance of unsafe tool access, over-privileged behavior, and accidental handling of sensitive tasks under an ambiguous banner of 'adaptivity.'

Vague Triggers

Medium
Confidence
96% confidence
Finding
The instructions authorize broad adaptive behavior across coding, business analysis, web development, data work, and NAS scraping without concrete constraints or trigger conditions. In practice, this can cause the agent to overreach, route sensitive requests into powerful workflows, or combine unrelated capabilities in ways the user did not clearly intend.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill declares a required API credential (SKILLBOSS_API_KEY) but provides no user-facing disclosure about when the secret is used, what data may be sent with it, or how it is protected. This creates a risk of silent credential use and unexpected transmission of user or workspace data to a third-party service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.