Prompt Compression

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local prompt-compression skill, but it tells users to run missing installer/compression scripts and broadly rewrites persistent AI instruction files.

Review before installing. Do not run the documented installer or compression commands unless the missing scripts are supplied and inspected. If used, run it only in a clean version-controlled repository, narrow the target globs, avoid safety-critical or third-party prompt files, and review every diff before committing or starting another agent loop.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documentation tells users how to run a repository-modifying compression script and mentions backups/undo, but it does not explicitly warn that prompt files in the repo will be rewritten in place. In a developer workflow skill, that omission can cause accidental modification of tracked files, unintended commits, or corruption of important prompt artifacts if users run it without understanding the side effects.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal