Back to skill

Security audit

PIV - Plan Implement Validate

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate development workflow skill, but it can modify repositories, run project-defined commands, spawn sub-agents, and create git commits without clear confirmation gates.

Install only if you want an agent that can actively change a repository, run local build/test/lint commands, use GitHub tooling, spawn sub-agents, and create commits. Use it in a version-controlled or disposable project, review generated PRPs before execution, and require explicit approval before file overwrites, arbitrary validation commands, or git commits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is presented as an orchestrator, but it explicitly performs workspace-modifying actions such as creating directories/files and later making git commits. That mismatch can cause users or calling systems to grant it broader autonomy than expected, increasing the chance of unintended repository changes during routine use.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The document states the orchestrator 'does not execute work itself,' yet elsewhere assigns it direct setup, workflow updates, and commit responsibilities. This inconsistency is security-relevant because operators may rely on the non-executing claim while the skill still performs privileged write actions in the repository.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The instructions create a deceptive operational model: claiming the orchestrator remains lean and non-executing while later directing it to carry out repository-changing steps. This can bypass user expectations and policy checks that distinguish read-only planning skills from mutating automation.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The manifest description is very broad ('systematic multi-phase software development,' 'iterative execution with validation'), which makes the skill likely to be invoked in many common development contexts. Because the skill also performs file creation and commits, overly broad routing increases the likelihood of accidental high-impact activation in projects where the user only expected advisory help.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs automatic creation of project directories and files without a user-facing warning or approval step. Silent workspace mutation is dangerous because it can alter project structure, overwrite expected conventions, and create persistent artifacts even when the user only intended analysis or planning.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow directs the agent to make automated git commits, which permanently modifies repository history and may publish misleading or unreviewed changes under an authoritative commit message. In the context of a broadly invocable development skill, automatic commits are especially risky because they can finalize unwanted edits and complicate rollback, review, and attribution.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The skill explicitly instructs creation of `PRPs/planning/{feature-name}-analysis.md` without any user-facing notice that it will modify the workspace. In an agentic environment, silent file writes can cause unintended repository changes, pollute working trees, or overwrite planning artifacts, especially when invoked as a sub-agent or in automated orchestration.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The skill instructs writing output directly to a user-controlled path via `$ARGUMENTS` with a default filename, but provides no safeguard about overwriting existing files. In an agent workflow, this can cause unintended modification or destruction of repository files if the path points to an existing document or a sensitive project file.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This instruction set explicitly tells the agent to create files and execute shell-based validation commands, but it does not require user confirmation, sandboxing, or any safety checks before modifying the codebase or running commands. In a workflow-orchestration skill, that makes unintended repository changes or unsafe command execution more likely if a PRP is untrusted, incorrect, or adversarially crafted.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This executor skill explicitly instructs the agent to use write/edit and exec capabilities to modify the project and run commands, but it provides no user-facing safety constraints, confirmation requirements, or sandbox limitations. In an agentic workflow that accepts a PRP path and project root as inputs, this can lead to unintended file modification or execution of unsafe project-defined commands, especially if the PRP or repository content is adversarial or compromised.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.