Security audit

Nika Skill Creator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward Nika skill document generator and validator, with disclosed local file-writing behavior and no hidden credential or network activity.

Install this if you want a Chinese-language helper for creating Nika skill documents. Run the included Python scripts only in the repository where you want files created, review generated documents before using them, and avoid --force unless you intentionally want existing files replaced.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The workflow says the default behavior is to generate or update files in the repository, but it does not require explicit user confirmation immediately before making those changes. In an agent setting, silent or assumed write behavior can lead to unauthorized modifications, accidental overwrites, or persistence of unsafe content.

Natural-Language Policy Violations

Medium

Confidence: 96% confidence
Finding: The referenced specification is entirely in Chinese and does not state that the skill operates in Chinese or that the user has opted into that language. This can cause users or downstream agents to misunderstand required constraints, produce incorrect skills, or miss security-relevant rules because the operative instructions are not accessible to the expected audience.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.