Back to skill

Security audit

Virtual Board of Advisors

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only business advisory skill with disclosed reference material and no evidence of code execution, credential access, persistence, or hidden data movement.

Safe to install from a security perspective based on the reviewed artifacts. Share only business details you are comfortable putting into an AI chat, and do not rely on this skill for individualized medical, nutrition, supplement, legal, or financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill explicitly includes health/fitness product development and advice based on a fitness/nutrition advisor while simultaneously disclaiming medical advice. That mismatch can cause users to treat quasi-health guidance as safe business strategy, leading the agent to provide recommendations about nutrition, supplementation, or health-related products without adequate clinical guardrails.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file says the skill is not for medical advice, but later operational instructions direct it to provide evidence-based fitness, nutrition, and supplementation advisory. This creates contradictory safety boundaries that can fail open in practice, making it more likely the agent will generate health-adjacent recommendations users may rely on.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation scope includes a very broad condition such as 'multi-expert perspectives on any business challenge,' which can cause over-triggering on loosely related requests. Overbroad activation increases the chance that this skill overrides more appropriate narrower skills or injects advisory behavior into contexts where its assumptions and safety limits do not fit.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The report-mode trigger based on common phrases like 'report,' 'deep dive,' or 'full analysis' is ambiguous and likely to activate unintentionally during ordinary conversation. This can lead to unnecessary loading of large reference content, verbose outputs, or accidental mode switching that degrades reliability and may widen exposure to unsafe domains covered by the skill.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.