Back to skill

Security audit

Super Dev Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed SwiftUI project generator that writes local project files and hands them to a QA skill, with no evidence of hidden or malicious behavior.

Install only if you are comfortable with the agent generating project files in dev-output/ and passing that generated code to qa-skill. Review the generated project before running it in Xcode or connecting real services, especially if the PRD asks for networking, iCloud, notifications, or other integrations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill metadata and content describe seamless integration with other skills and automatic triggering, but they do not define clear gating conditions, user confirmation, or scope boundaries. In an agentic environment, broad trigger language can cause unintended chaining or overlap with other skills, leading to actions being taken on the wrong input or without explicit user awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly states it will create a complete Xcode project in a local directory and automatically trigger another skill, but it does not provide a prominent warning or require consent for these side effects. This is dangerous because file creation and secondary invocation are state-changing actions that may surprise users, overwrite existing work, or propagate unintended data to another skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.