Freelance Proposal Engine

Security checks across malware telemetry and agentic risk

Overview

The skill mainly drafts freelance proposals, but it asks for shell, broad file-search, and file-writing powers that are not explained or needed for that job.

Review before installing. Use this only with job listings or files you intentionally provide, and consider removing or denying Bash, Write, Grep, and Glob; the useful workflow should only need pasted text, reading a specified file, fetching a specified listing URL, and optionally web search when you explicitly request it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill description is broadly worded and can be invoked for many generic proposal-writing or job-response tasks without tight scoping to trusted inputs or specific platforms. Because the skill also enables WebFetch, WebSearch, Bash, Read, and Write, overly broad triggering increases the chance it will process untrusted external content or be used in unintended contexts, expanding the attack surface for prompt injection and unsafe tool use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal