Back to skill

Security audit

Chief

Security checks across malware telemetry and agentic risk

Overview

This HR diagnosis skill is mostly coherent, but it needs Review because it can persist sensitive HR case details and internal analysis without clear opt-in or retention controls.

Review before installing in a real HR environment. Use only with clear local file boundaries, disabled or opt-in case memory/failure-taxonomy writes, no raw reasoning retention, and explicit approval before external search or meeting/HR integrations receive organizational data. Avoid identifiable employee, compensation, misconduct, or legal details unless storage, access, and deletion controls are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill specifies file read/write behaviors such as validating citations against a local knowledge base, initializing directory structures, and writing case memory, but does not declare permissions. Undeclared storage and filesystem access is dangerous because it bypasses informed consent, weakens platform enforcement, and can enable unauthorized access to sensitive HR data or persistence of user data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill presents itself as an HR diagnostic assistant, but the document also instructs it to perform local KB validation, hard-reject behavior, and even create knowledge-base directories and template files. This mismatch is risky because users may provide sensitive HR data expecting analysis only, while the skill also performs persistence and system-modifying actions outside the declared purpose.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Automatic writes to case memory and failure taxonomy are not necessary for the user-facing task of HR diagnosis and create hidden persistence of sensitive organizational data. This is dangerous because HR analyses often contain confidential personnel, performance, policy, and dispute information that can later be exposed across sessions or to other users/operators.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The spec instructs the evaluator to append entries to `FAILURE_TAXONOMY.md`, which gives a diagnostic component an undocumented persistent write side effect. That expands the skill from analysis into repository modification, creating integrity and prompt-injection risks because adversarial inputs could influence what gets written into long-lived documentation.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Granting persistent documentation-update capability is not aligned with the stated HR evaluation purpose and violates least privilege. A component intended to score outputs should not have authority to mutate knowledge-base files, because this can be abused to plant misleading records, poison future analysis, or create unauthorized repository changes.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The template explicitly requires a "完整推理日志" while also saying it is for storage only and that scratchpad must not be shown. That contradiction is risky because it encourages collection of sensitive internal reasoning without a clear boundary for retention, access, or downstream use, increasing the chance of accidental leakage or misuse in an HR diagnostic context.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Requiring generation and storage of a full reasoning log exceeds what is necessary for an HR organization-diagnosis skill and expands the data surface unnecessarily. In practice, this can capture sensitive inferences about employees, management, or organizational issues that are not needed for the final output, creating avoidable privacy, compliance, and disclosure risk.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Broad implicit triggers such as everyday phrases can cause the skill to activate or recommend itself in routine conversations, increasing the chance that sensitive HR content is routed into a deeper workflow than the user intended. In this skill, that is more dangerous because deeper workflows may invoke external tools, persistent memory, and structured internal data handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill can call web search, intelligence monitoring, and meeting analytics, but does not clearly warn users that organizational data may be transmitted to external services. For an HR diagnostic skill, this is especially sensitive because inputs may include employee issues, compensation, performance, investigations, or internal meeting content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions require automatic writing of case memory and failure records without clearly notifying the user that analysis content may be persistently stored. Hidden persistence is dangerous in HR contexts because users may disclose confidential employee, legal, compensation, and organizational data under the assumption the interaction is ephemeral.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The markdown describes automatic writes to a repository file without warning the user that executing the skill may modify project contents. Hidden side effects are dangerous because users may invoke what appears to be an analysis-only skill while unintentionally changing persistent artifacts, which undermines trust, auditability, and repository integrity.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The file establishes Chinese-only few-shot output examples as the 'perfect output' standard, which can steer the model to respond in Chinese regardless of the user's language or preference. In an HR diagnostic skill, this creates a prompt-level behavior override that can reduce usability, cause misunderstanding in multilingual environments, and weaken user control over output format.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill instructs retention and writing of user organizational data into persistent case memory. That creates a direct data leakage risk because sensitive HR content can be retained beyond the original session and potentially surfaced in later analyses, logs, or administrative access paths.

Ssd 3

Medium
Confidence
93% confidence
Finding
The knowledge-base design reuses user-provided FAQ, policy, salary, and case data as future context. Without strict isolation and lifecycle controls, this can leak confidential information across sessions, users, or organizations, especially in HR where the data often includes compensation structures, legal matters, and personnel records.

Ssd 3

High
Confidence
98% confidence
Finding
The Case Memory write-back stores full problem context, findings, actions, and outcomes from each analysis. In an HR setting, this is highly sensitive operational and personnel data; retaining it wholesale creates substantial risk of later disclosure, misuse, or unauthorized internal profiling.

Ssd 3

Medium
Confidence
93% confidence
Finding
Storing a complete reasoning log in plain language creates a semantic data-retention risk because internal deliberations may contain sensitive facts, inferred attributes, and candid assessments about staff or leadership. In an HR diagnostic skill, those logs could expose highly sensitive employment-related information if retained, searched, exported, or later surfaced by mistake.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.