Back to skill

Security audit

Super Agent Skills

Security checks across malware telemetry and agentic risk

Overview

This is a broad DevOps and automation checklist that names powerful tools but does not include hidden code, installation scripts, or automatic execution.

Install this as a reference-style skill, not as permission for automatic system changes. Review and approve any command that writes files, schedules future work, deploys containers, changes databases, or uses cloud/API credentials; check the target environment before running deployment commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The scheduled-task example writes to a user file after a delay without any safety warning, confirmation requirement, or sandboxing guidance. In an agent skill context, examples often become executable patterns, so this can normalize unattended file modification and lead to unintended persistence or silent changes to user data.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The container examples include deployment-oriented commands like docker run and kubectl apply that can alter local systems or connected clusters, yet the skill provides no caution about authorization, target validation, or safe environments. In a reusable agent skill, this increases the risk of an agent executing impactful infrastructure changes by default.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.