Back to skill

Security audit

Nexus Curriculum Designer

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only curriculum design skill with some vague research-style wording, but no code, install behavior, credential use, persistence, or hidden data handling.

Safe to install as a lightweight instruction skill. Before using it with real students, private curriculum materials, or institutional data, clarify what sources it will use and avoid providing student PII or credentials unless you have a separate privacy and data-handling agreement.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The workflow and guideline sections describe a generic analysis engine that produces findings, severity ratings, confidence scores, and source-cited cross-validation rather than a narrowly scoped curriculum-design skill. This mismatch can enable scope drift, misleading users into relying on unsupported research or evaluation claims, and may be used to justify behavior outside the declared educational purpose.

Intent-Code Divergence

Low
Confidence
81% confidence
Finding
Claims that all outputs include source citations and that cross-validation requires two independent sources suggest research or factual-verification capabilities that are not established elsewhere in the skill manifest. This can create false authority and cause users to trust fabricated citations or unsupported educational recommendations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.