command-skill-creator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed helper for creating command-style automation skills, with no evidence of hidden execution or malicious behavior.

Install this if you want help creating command-style skills, but review each generated command before enabling it. Pay special attention to commands that commit, deploy, modify another repository, or call external APIs, and make sure they include clear approval gates before those actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The cross-repo pattern explicitly instructs the command to modify files in another project and then validate, commit, and deploy, but it does not require a user approval gate before those side effects occur. In a command-skill framework, this can normalize autonomous changes outside the current repository boundary, increasing the risk of unintended edits, unauthorized deployment, or supply-chain style impact across related projects.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal