Save Money 4.2.0

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill transparently routes complex prompts from Haiku to Sonnet, but users should understand it may forward the full task text to another model session.

Install this only if you want automatic Haiku-to-Sonnet routing. Avoid using it for highly sensitive prompts unless you are comfortable with the full prompt being sent to the spawned Sonnet session, and verify the publisher/homepage if the metadata mismatch matters to you.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill uses very broad natural-language examples and rules like 'when in doubt, escalate' and 'if a human would need more than 30 seconds of focused thinking, escalate,' which can cause routine requests to be forwarded to a more capable model unnecessarily. Because it tells the agent to pass the full task to `sessions_spawn()` immediately, this can increase data exposure and cost, and can be abused by users phrasing simple requests to trigger escalation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal