Quick Deploy

Security checks across malware telemetry and agentic risk

Overview

This deployment skill appears purpose-aligned, but its activation language is too broad for actions that could affect real deployments.

Review this skill carefully before installing. Use it only if you are comfortable with an agent helping run deployment workflows, and require explicit confirmation of the project, platform, and target environment before any deploy command is executed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases include very common conversational language such as 'ship it' and 'go live', which can cause the skill to activate in contexts where the user did not intend to perform a deployment. Because this skill can initiate real external deployment workflows, accidental invocation can lead to unintended production-affecting actions or disclosure of deployment metadata.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The core behavior says to act when the user says generic terms like 'deploy' or 'ship', without requiring confirmation of the repository, environment, or platform. In a skill that can run deployment commands, this ambiguity materially increases the chance of unintended execution and misuse through conversational overlap.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal