Back to skill

Security audit

Gstack AI虚拟工程团队

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed engineering workflow, but it can guide agents into broad code changes, real-environment testing, external model sharing, and deployment without enough explicit consent boundaries.

Install only if you intend to use a high-autonomy engineering workflow. Keep it on staging or local projects by default, require explicit approval before file writes, destructive tests, merges, deployments, or production access, and do not use /xcheck or memory updates with proprietary code, secrets, customer data, or regulated data unless you have reviewed and accepted the external sharing and retention implications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The example implementation uses a naive string prefix check with `startswith`, which can be bypassed by sibling paths sharing the same prefix, such as allowing `/backend/api/endpoints-malicious/file.py` when `/backend/api/endpoints/` is intended. In a skill explicitly meant to constrain where an AI agent may write, this undermines the safety boundary and could permit unauthorized edits outside the approved directory.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases include broad, everyday development language such as team-mode and review-related terms, increasing the chance that the skill activates when a user did not explicitly intend to invoke this workflow. Because the skill can progress into code changes, testing, browser actions, or deployment-oriented phases, accidental activation can lead to unintended side effects or over-broad agent behavior.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The 'full automatic Sprint' behavior is ambiguous about when all seven phases run versus when some are skipped, leaving too much discretion to the agent at runtime. In a skill that includes testing, auto-fixing, browser interaction, and shipping/deployment concepts, ambiguous orchestration can cause unexpectedly invasive actions without sufficiently clear user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Single-stage invocation examples like generic requests to review, test, or reflect are too common in normal developer conversation to be safe triggers. This creates a prompt-injection-like routing risk where ordinary language may unintentionally invoke privileged workflow behavior beyond what the user expected.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes opening a real browser, executing end-to-end flows, discovering bugs, automatically fixing them, and re-validating, but does not present a strong, upfront warning or consent boundary for actions that may touch real accounts, data, or external services. In context, this is more dangerous because the skill is explicitly designed for software delivery workflows, where browser-driven tests can trigger purchases, submissions, destructive mutations, or data corruption in non-test environments.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The SHIP phase includes syncing main, pushing PRs, merging, waiting for CI, deploying, health checks, and canary monitoring, yet lacks a dedicated high-visibility production warning and explicit consent boundary. In context, this is especially risky because the skill presents deployment as part of an automated default pipeline, which could normalize production-affecting actions without sufficiently deliberate authorization.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill content is entirely in Chinese and specifies Chinese-only review structure and terminology without offering any language selection or fallback. In a multi-user or mixed-language environment, this can cause misinterpretation of security- or quality-relevant guidance, reduce operator comprehension, and lead to incorrect outputs or unsafe downstream decisions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guidance explicitly tells users to use real environments and near-real data, but provides no guardrails about privacy, production safety, data minimization, or use of dedicated test accounts. In a QA/E2E testing skill, this omission can lead operators to run tests against sensitive systems or datasets and accidentally expose personal data or cause unintended side effects.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The API testing steps instruct sending real HTTP requests, including boundary and concurrent cases, and verifying writes/deletes/updates, but do not constrain this to non-production systems or mention rollback, idempotency, or destructive-action safeguards. In context, this could cause data corruption, service disruption, or unauthorized modification if followed against live systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly describes automatic bug fixing, retry loops, and progress saving after user interruption, but it does not require an explicit confirmation boundary before code or project-state modifications occur. In an agent workflow that can edit files or trigger subagents, this can lead to unintended code changes, overwritten work, or persisted state/data without the user's informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly states it will send the user's current plan or code to another AI model for secondary review, but it provides no notice, consent step, or guidance about sensitive data handling. This can cause unintended disclosure of proprietary code, credentials, architecture details, or internal business logic to third-party model providers, which is especially risky in a development workflow where sensitive material is common.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow directs the agent to send the same plan or code to both a main model and a cross-check model, multiplying the number of external disclosures without warning the user. In the context of an engineering-team skill, the reviewed artifacts may contain unreleased features, infrastructure details, vulnerabilities, or regulated data, so silent multi-provider transmission materially increases confidentiality and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
tools/careful.md:42