unified security auditor

Security checks across malware telemetry and agentic risk

Overview

This is a security-review guidance skill with no executable code, though users should control when it saves audit reports to a project.

Install it project-locally unless you intentionally want this security guidance available in all workspaces. When asking for an audit report, tell the agent whether to keep the report in chat or save a markdown file, and confirm the destination path if you want a file written.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill directs the agent to write a markdown report into the current project without requiring explicit user confirmation. In an agent setting, unsolicited file creation/modification expands the skill from advisory analysis into state-changing behavior, which can surprise users, alter repositories, and be abused in automated workflows.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The top-level description is broad enough to match many ordinary development tasks, increasing the chance the skill is invoked in contexts beyond focused security review. Overbroad activation can cause unexpected behavior, including unnecessary security-specific instructions or side effects being applied where they are not appropriate.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The 'Use When' section lists many situations but does not define boundaries, exclusions, or approval expectations, so the skill may trigger in ambiguous cases. In agent systems, underspecified invocation criteria can lead to over-application of the skill and unintended actions like generating reports or changing outputs when the user did not request that behavior.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs file creation in the project folder but does not warn the user that files will be created or modified. This violates the principle of transparent, least-surprise agent behavior and can cause unintended repository changes, noisy commits, or unsafe writes in sensitive environments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal