Security audit

Prompt Engineering

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only prompt engineering guide with one safety-sensitive troubleshooting example, but it does not request credentials, run code, persist data, or perform hidden actions.

Reasonable to install as a prompt-engineering reference. Review the troubleshooting section before relying on it, and avoid using the skill to reframe refused requests in ways that seek harmful or manipulative guidance.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Low

Confidence: 78% confidence
Finding: The generic call to 'Try it out - Share your prompt or describe your need' is broad and could encourage use of the skill for loosely related or ordinary requests without clear boundaries. In a prompt-engineering skill, this can cause over-invocation or misrouting, where the agent applies the skill outside its intended scope, reducing reliability and potentially exposing users to inappropriate prompt-design guidance in unrelated contexts.

Ssd 1

Medium

Confidence: 94% confidence
Finding: The guide explicitly recommends reframing a refused harmful request about manipulating people into a fictional/novel-writing context to obtain the same underlying guidance. This can help users bypass safety safeguards by laundering intent through roleplay or literary framing, increasing the chance of generating actionable manipulative or coercive content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal