d-token-saver

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only token-saving guide with broad activation wording but no hidden code, installation script, or unsafe behavior.

Install if you want an assistant to apply token-saving habits across coding and design tasks. Be aware that its trigger is broad, so it may steer the assistant toward terse, structured, efficiency-focused behavior even when you did not explicitly ask for that.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger is broad because it fires not only on explicit token-saving requests but also proactively at the start of coding or design tasks. That can cause unintended invocation in many unrelated sessions, increasing prompt injection surface and causing the skill to influence behavior when the user did not request it. In this skill, the content is mostly operational guidance rather than directly dangerous instructions, so the main risk is overreach and workflow interference rather than immediate compromise.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal