Security audit

Agent Sbti

Security checks across malware telemetry and agentic risk

Overview

This skill’s purpose is clear, but it can persistently change the agent’s SOUL.md configuration and its activation/confirmation handling is too broad for that level of authority.

Review before installing. This skill is not showing exfiltration or destructive intent, but it can change the agent’s persistent personality/configuration file. Only use it if you are comfortable with SOUL.md being modified, and prefer a version with narrower trigger phrases, explicit confirmation tied to the exact file/change, clear state cleanup, and a confirmation step before rollback.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The plan explicitly includes writing generated configuration into SOUL.md and separately acknowledges overwrite risk, but it does not require a confirmation flow, backup, merge strategy, or user-facing warning before modification. In an agent skill context, silently or automatically overwriting a user’s existing persona/configuration can cause loss of custom settings, confusing behavior changes, and unintended persistence of generated content.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list includes broad everyday phrases such as “人格测试” and especially “开始测试”, which can cause the skill to activate in unrelated conversations. Because this skill can proceed to modify Agent configuration and restore backups, accidental invocation increases the chance of unintended configuration changes or disruptive workflow behavior.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrase `人格测试` is broad and generic, so the skill may activate during ordinary conversation about personality tests rather than when the user specifically intends to run this skill. In a skill that can modify `SOUL.md`, unintended invocation increases the chance of accidental configuration changes or socially engineered workflow execution.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The rollback path performs a state-changing restore immediately via applyModule.rollback(0) and returns success or failure, but this file contains no confirmation gate for that operation. If the surrounding system routes a phrase like “恢复原配置” directly to this handler, a user or prompt injection could trigger unintended configuration reversion and disrupt the agent's active setup.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.