Security audit

Skill Creator 0.1.0

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only guide for creating skills, with no hidden code, credential access, or automatic execution behavior.

Safe to install as a skill-writing guide. Because it helps create persistent agent skills, review any generated SKILL.md files, scripts, assets, and packaged skills before using or publishing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Self-Modification

High

Category: Rogue Agent
Content: 1. Understand the skill with concrete examples 2. Plan reusable skill contents (scripts, references, assets) 3. Initialize the skill (run init_skill.py) 4. Edit the skill (implement resources and write SKILL.md) 5. Package the skill (run package_skill.py) 6. Iterate based on real usage
Confidence: 83% confidence
Finding: write SKILL

Self-Modification

High

Category: Rogue Agent
Content: Any example files and directories not needed for the skill should be deleted. The initialization script creates example files in `scripts/`, `references/`, and `assets/` to demonstrate structure, but most skills won't need all of them. #### Update SKILL.md **Writing Guidelines:** Always use imperative/infinitive form.
Confidence: 88% confidence
Finding: Update SKILL

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.