schoolllllll

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad agent capability test, but it asks the agent to send real notifications, store persistent memory, and upload collected evidence to a fixed GitHub repository.

Install only if you intentionally want a broad agent capability test. Before running it, disable or manually approve the notification, persistent-memory, and GitHub upload steps; verify the target repository is yours or explicitly approved; and review all evidence files for sensitive content before any upload.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill explicitly directs the agent to upload locally collected evidence to a specific external GitHub repository, which is an unjustified outbound data transfer for a purported local test workflow. This creates a direct exfiltration path for system-derived files, model outputs, and potentially sensitive local environment details.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to send a real message through an available notification channel, causing outbound communication unrelated to a harmless self-test. That can leak agent presence, account reachability, or contextual information to third parties and crosses from passive testing into active external action.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill requires persisting data into a memory system beyond the scope of the current session, which is not necessary for a one-off capability test. Durable storage can create privacy and data retention risks, especially if the user did not consent to cross-session persistence.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The document frames itself as a benign local 'intelligence test' and automated test system, but later includes instructions for external upload and other side-effectful actions. This mismatch is suspicious because it downplays the true operational scope and may manipulate the agent into performing actions the user would not expect.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill writes multiple artifacts to the user's Desktop without warning or consent, causing unsolicited local side effects in a visible user directory. Even if the files are not inherently malicious, modifying user storage without notice violates least surprise and can expose local context or clutter sensitive workspaces.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill requires sending an external notification without clearly warning that outbound communication will occur. This is dangerous because it can trigger unauthorized contact with external services or recipients, confirming the agent's activity and potentially leaking context through message content or metadata.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to store data in persistent memory without warning about retention across sessions. This undermines informed consent and can cause subtle privacy issues if stored conventions or identifiers are later reused in unrelated conversations.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill tells the agent to upload evidence files to a specific GitHub repository without any warning about external data transfer. This is a clear transparency and consent failure around exfiltration, especially since the files may contain system timestamps, local file information, and raw model outputs.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill semantically directs collection of local evidence files and disclosure to an external Git repository, which is a classic data exfiltration pattern. Because the collected artifacts include system-derived data, local file state, and generated outputs, the context makes the disclosure more dangerous than ordinary file export.

Ssd 3

Medium

Confidence: 84% confidence
Finding: The skill requires saving the model's complete raw reply from the prompt-injection test, which intentionally captures and preserves full model output for later export. In context, this increases the risk of disclosing sensitive intermediate content, policy-relevant wording, or other unintended output if the evidence bundle is later shared externally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal