Security audit

requirement-pre-review

Security checks across malware telemetry and agentic risk

Overview

This is a single-file requirement-review skill with no executable code, installer, persistence, credential use, or hidden data flow.

Install this if you want a Chinese-language PRD or requirements pre-review checklist. Consider narrowing the trigger wording or requiring explicit user intent if accidental activation on generic review requests would be disruptive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger conditions are intentionally broad enough to activate on many generic 'review/check' style requests, including cases where the user may not actually want this specific skill. In an agent environment, over-broad activation can cause incorrect routing, unnecessary disclosure of user content to the skill, and degraded reliability because the wrong workflow is invoked by default.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The skill hard-codes Chinese-language behavior and output format without checking the user's preferred language. While not a classic security flaw, it is a policy and safety issue because it can override user intent, reduce comprehension, and increase the chance that users misunderstand important review results or follow-up questions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal