Dev Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed SwiftUI project generator, with expected workspace file creation and QA handoff behavior.

Install this only if you are comfortable with the skill creating project files under `dev-output/` and passing generated code to `qa-skill`. Avoid using confidential PRDs unless that generated-code handoff is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly states it will automatically create a complete Xcode project in `dev-output/` and trigger subsequent actions without any mention of user confirmation, dry-run mode, or workspace scoping. Unprompted file creation is a real safety issue for agent skills because it can modify the user's environment unexpectedly, overwrite existing work, or be chained with later automated steps in ways the user did not approve.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal