Brainstorming

Security checks across malware telemetry and agentic risk

Overview

This is a planning helper that asks clarifying questions before coding; its broad auto-triggering is worth noticing but no hidden code, credentials, persistence, or harmful behavior was found.

Install this if you want the agent to pause on unclear development requests, ask clarifying questions, and produce a staged plan before implementation. Avoid it if you prefer the agent to act directly on vague feature requests without a planning gate, and review any downstream skill handoff before letting it continue.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill is configured to auto-activate on very common, loosely defined developer requests such as creating a feature or handling a vague request. In an agent system, this can cause unsolicited workflow takeover, unnecessary questioning, and unintended chaining into other skills, which increases the chance of scope drift or disruptive behavior across normal interactions.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger definition relies on subjective detection of 'vague requirements' without operational boundaries, making activation inconsistent and overbroad. This ambiguity is dangerous because it can be interpreted aggressively by an agent, causing the skill to trigger unexpectedly and interfere with user-directed workflows.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal