Agent Development

Security checks across malware telemetry and agentic risk

Overview

This skill is instructional and on topic, but it encourages broad agent permissions that can let future agents edit files, run shell commands, and fetch from any website with fewer prompts.

Install only if you want agent-building guidance and will review the recommended settings before applying them. Do not copy the broad `.claude/settings.json` allowlist as a global default; keep WebFetch domains, Bash commands, Write/Edit access, and proactive delegation scoped to each specific agent and project.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The guidance explicitly recommends `WebFetch(domain:*)`, which grants blanket outbound network access to any domain. In an agent-design skill, this is broader than necessary and can enable data exfiltration, retrieval of malicious content, or unauthorized communication without user review.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Telling users to give all agents a full toolset by default, including `Write`, `Edit`, and `Bash`, violates least privilege and expands the blast radius of every agent. If an agent is misdirected, compromised, or simply mistaken, it gains immediate ability to modify files and execute shell commands beyond what many tasks require.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The document characterizes the Bash allowlist as 'safe read-only and file management commands,' but it includes mutating operations like `cp`, `mkdir`, `mv`, and `touch`. This mislabeling can cause operators to underestimate the real write and filesystem modification capability being granted.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The manifest description includes unresolved placeholder language such as "MUST BE USED when [specific triggers]" and "Use PROACTIVELY for [task category]," which creates ambiguous, overly broad delegation criteria. In an agent-routing context, this can cause the skill to be invoked in unintended situations, increasing the chance of inappropriate tool use, prompt interference, or unsafe task handling beyond the author's intended scope.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The auto-trigger list contains very broad phrases such as "build agent," "model selection," and "workflow," which can plausibly appear in normal development conversations and cause this skill to load unexpectedly. Unintended invocation increases the chance that the agent applies specialized guidance in the wrong context, expands tool exposure, or influences downstream decisions without explicit user intent.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The skill explicitly recommends strong auto-delegation phrases such as 'MUST BE USED when...' and 'Use PROACTIVELY for...' without requiring narrowly scoped triggers or collision checks. In an agent system, overly broad activation criteria can cause unintended delegation, sending tasks to the wrong sub-agent and increasing the chance of unsafe tool use or incorrect autonomous actions.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The quick-reference template repeats the same broad trigger pattern but provides no guardrails, examples, or scoping requirements. Because this template is likely to be copied into new agents, it can propagate ambiguous delegation rules across many agents and create systemic misrouting or over-privileged execution paths.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The guidance recommends strong auto-delegation language such as "MUST BE USED" and "Use PROACTIVELY," which can cause agents to be invoked based on broad description matching rather than narrow, verified preconditions. In a system that supports automatic delegation, this increases the chance that an over-privileged or context-inappropriate agent is selected for tasks it should not handle, leading to unintended tool use or workflow actions.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The example descriptions use expansive task-category phrases like "Use PROACTIVELY for any visual QA task" and browser automation language without clear exclusions or guardrails. This makes automatic matching more permissive and can route loosely related requests to specialized agents unnecessarily, which is risky when those agents have powerful tools or side-effecting capabilities.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill recommends blanket permission for file modification, arbitrary web fetching, and Bash operations while omitting discussion of privacy, integrity, or unintended system effects. In the context of designing reusable agents, this is especially dangerous because it can normalize insecure defaults across many downstream agents and projects.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal