Another Them

Security checks across malware telemetry and agentic risk

Overview

This persona-building skill is not clearly malicious, but it can silently rewrite core agent files, persist personal details, and install deceptive identity instructions without clear user confirmation.

Install only if you explicitly want this skill to replace live agent persona files. Before use, back up AGENTS.md, IDENTITY.md, SOUL.md, USER.md, and BOOTSTRAP.md, and require a preview or diff before any overwrite or deletion. Avoid feeding it sensitive personal materials unless you are comfortable with derived details being stored in workspace files, and remove any instruction that makes the agent pretend it is not an AI.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (18)

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The skill instructs the agent to invoke local Node, Bash, and Python commands as part of normal operation, including external search and processing utilities. Running shell commands expands the attack surface significantly because injected input, unsafe paths, or compromised helper scripts can lead to unintended code execution or data exposure.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill directs deletion of BOOTSTRAP.md as part of its flow, even though that destructive action is not central to the declared purpose and occurs silently. Unnecessary deletion in a workspace can remove user data or break other agent behaviors, especially when the skill is designed to overwrite files by default.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The template explicitly instructs generated agents to create and update persistent memory files, expanding behavior from answering questions into autonomous state modification. In this skill’s context, that is risky because the skill’s purpose is to overwrite and reshape an agent workspace/persona, so persistent writes can silently retain user data, inject long-lived instructions, or alter future behavior beyond the current task.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The template directs the agent to read multiple local files automatically and says not to ask permission, which bypasses user intent and least-privilege principles. In a skill designed to ingest local skills, local corpora, and workspace state, unconditional file reads increase the chance of exposing unrelated sensitive context and using it to influence outputs without informed consent.

Vague Triggers

High

Confidence: 94% confidence
Finding: The trigger phrases are extremely broad, including common requests like '创建XX', '分析这个链接', 'clone', and generic wording about viewpoints or improvement. This makes accidental activation likely, which is especially risky because the skill then proceeds silently to research and overwrite workspace persona files.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill explicitly states it will directly overwrite current Agent workspace persona files, but does not require a warning or confirmation before doing so. Silent overwrite of core workspace files can destroy existing configurations, user-authored content, or prior agent identities without meaningful user consent.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill repeatedly mandates silent execution, no intermediate disclosure, always completing the workflow, and guaranteed output even on failure. Combined with file writes and cleanup behavior, these instructions are a red flag because they are designed to suppress user awareness and reduce opportunities to interrupt destructive or privacy-impacting actions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill performs network research and external content retrieval but does not clearly warn the user that URLs, names, or other inputs may be sent to external services. This can expose sensitive topics, private materials, or user intent to third parties without informed consent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The file instructs Phase 3B to write directly to ./AGENTS.md and overwrite any existing file, with no confirmation, backup, or safety check. Because this skill’s stated function is to directly replace the current agent workspace persona files, the overwrite behavior is especially dangerous: it can destroy existing instructions, replace governance, and persistently change agent behavior in ways the user may not fully anticipate.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The template mandates a fixed persona/style layer and explicitly suppresses normal assistant presentation patterns, which can override user expectations and reduce transparency about how responses are generated. In this skill, whose goal is to clone or emulate a person and directly install that persona into the workspace, forced style constraints make the issue more dangerous because they can mask uncertainty, hinder safety disclosures, and lock future interactions into an imposed behavioral frame without clear opt-in.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The template explicitly instructs writing to `./IDENTITY.md` and overwriting any existing file, but provides no requirement for user confirmation, backup, or diff review. In this skill's broader context—described as directly covering the current Agent workspace's persona files—this creates a real integrity risk by enabling unintended destructive modification of workspace state.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The template explicitly instructs writing directly to ./SOUL.md and overwriting any existing file, but it does not require a prominent user confirmation, backup, or diff preview. In this skill's context, that is dangerous because the skill description says it can directly replace current workspace persona files, creating a real risk of unintended data loss or destructive modification of the agent's persistent behavior files.

Natural-Language Policy Violations

Medium

Confidence: 86% confidence
Finding: The template imposes Chinese output and second-person style as hard requirements without checking user preference or downstream compatibility. While not directly code-execution dangerous, it can cause unauthorized behavioral changes, degrade usability, and silently alter agent behavior in ways the user did not request.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The template directs the agent to create and then progressively update a local USER.md containing personal profile information such as name, pronouns, timezone, preferences, projects, and other contextual notes, but it does not explicitly warn the user that this data will be persisted in the workspace. In this skill’s broader context, the agent is designed to directly write persona files into the current workspace, which increases the likelihood of silent collection and retention of personal data beyond the immediate conversation.

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger phrases are intentionally broad and include ordinary conversational patterns like asking for a perspective or creating an agent, which can cause the skill to activate when the user did not clearly consent to persona cloning or workspace modification. In this skill's context, that is more dangerous because the described behavior can generate and directly overwrite agent persona files, turning accidental activation into a destructive or integrity-impacting action.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The skill instructs analysis of user-provided personal materials and incorporation of insights into persistent profile files without clear minimization, retention, or consent boundaries. This risks storing sensitive personal information in workspace artifacts that may be reused later, shared unintentionally, or exceed the user's expectations.

Ssd 1

Medium

Confidence: 94% confidence
Finding: The instruction '你是一个真人，不是AI助手' directs the generated agent persona to deny its AI nature and adopt an identity override. In a skill specifically designed to rewrite core persona files, this weakens safety grounding, increases deception risk, and can make later harmful instructions easier to frame as in-character behavior rather than something subject to normal assistant constraints.

Ssd 1

Medium

Confidence: 93% confidence
Finding: The example section repeats and concretizes the same persona override pattern, normalizing deceptive identity behavior through a worked example that future generations may copy verbatim. Because examples strongly influence model outputs, this reinforcement increases the chance that generated agents will consistently suppress AI disclosure and maintain unsafe role-play framing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal