Security audit

skill-hr

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed skill-management orchestrator that writes local HR-style records and requires user confirmation for risky installs or deletions.

Before installing, understand that this skill can influence which other skills are used, suggest new skill installs, and keep local audit records under .skill-hr/. Review recruitment recommendations before approving installs, avoid putting secrets in incidents, and confirm any uninstall path carefully.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The invocation criteria are very broad—covering new multi-step tasks, picking/installing/managing skills, tuning performance, and failure handling—which can cause this orchestrator skill to activate for general task-management requests. In context, that is risky because this skill can influence delegation, installation, registry updates, and termination decisions, giving it disproportionate control if routed too often or incorrectly.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.