Back to skill

Security audit

prompt engineer

Security checks across malware telemetry and agentic risk

Overview

This skill is a prompt-engineering reference with user-run examples that use an OpenAI API key and send evaluation prompts to OpenAI when executed.

Reasonable to install as a prompt-engineering reference. Before running the examples, use a limited API key, keep .env private, pin dependencies for real projects, and do not place proprietary prompts, customer data, or regulated data in test cases unless sending them to OpenAI is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The generated evaluate.py script sends every test input to the OpenAI API, which is an external service, but the scaffold provides no warning or consent mechanism about remote data transmission. In a prompt-engineering workflow, test cases may contain proprietary prompts, customer examples, or sensitive datasets, so silent exfiltration to a third party creates a real confidentiality risk.

Credential Access

High
Category
Privilege Escalation
Content
- openclaw
        - python
      config:
        - .env
---

# Prompt Engineering Skill
Confidence
72% confidence
Finding
.env

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.