Back to skill

Security audit

L4 Skill Forge

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent skill-building assistant with optional local scripts, and the main caution is that its broad trigger phrases may activate it for generic skill-related requests.

Install only if you want a skill-focused assistant for building or reviewing Agent Skills. Review the publisher, run the included Node scripts only in a workspace you intend to modify, and treat the score output as a checklist signal rather than a security certification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README advertises very generic activation phrases such as '帮我做一个 skill' and '对这个 skill 做安全审查', which are broad enough to overlap with ordinary user requests. In an auto-activation ecosystem, this can cause unintended invocation of the skill in contexts where the user did not explicitly choose it, creating prompt-routing confusion and potentially exposing unrelated content to the skill’s workflow.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation triggers are overly broad and match very common requests such as 'help me make a skill' or 'do a security review', which can cause unintended auto-activation in unrelated contexts. In a high-authority skill that guides file creation, evaluation, and release processes, accidental invocation can override more appropriate task handling and expand the skill's influence beyond the user's actual intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.