Orche

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only orchestration skill whose multi-agent behavior is disclosed and mostly bounded, though users should be aware it can spawn agents, write local run state, and auto-proceed after initial approval.

Install only if you want an autonomous multi-agent workflow. Use explicit commands such as /orche, avoid putting secrets in prompts, set budget and concurrency limits, and request approval at each step for costly, external, or destructive tasks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrases include generic language like "orchestrate", "orchestration", and "systematic execution", which can plausibly appear in normal user requests unrelated to this specific skill. In a skill system that auto-matches on trigger phrases, this can cause unintended invocation of a highly autonomous multi-agent workflow, increasing the chance of unnecessary file writes, agent spawning, and task execution without explicit user intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal