Task Ops

Security checks across malware telemetry and agentic risk

Overview

This is a broad task-orchestration skill whose documented behavior is mostly coherent, but it gives agents broad tool, file-writing, skill-loading, and generated auto-install authority without enough user-control safeguards.

Install only if you want a broad agent workflow framework that can guide tool use, code execution, file creation, and skill generation. Before using it, require the agent to confirm any file changes, code execution, network use, booking/purchase/account action, or skill installation, including exact paths and affected resources.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The template presents the generated skill as reference-only, but its activation flow instructs the agent to automatically install and load another skill and then delegate execution to it. This creates hidden capability expansion and violates least surprise: a passive reference artifact can trigger active dependency acquisition and execution behavior without explicit user approval.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Automatic installation of `task-ops` grants the template an unjustified ability to change the runtime environment and import additional instructions at activation time. This enlarges the trust boundary and can be abused for capability escalation, indirect prompt injection, or execution of behaviors the user did not request from a reference template.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The document claims the skill contains no execution framework, but later defines activation-time install/load behavior and execution delegation. This inconsistency is dangerous because users and downstream tooling may trust the skill as inert documentation while it actually instructs active operational behavior, undermining transparency and security review.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger list includes broad generic terms such as '执行', '内容', '创新', '管线', and '流程重构', which are likely to appear in ordinary user requests outside the intended scope of this skill. That can cause accidental activation or over-selection of this skill, leading the agent to apply an inappropriate operating framework, distort task routing, or load unnecessary reference material.

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger list includes many broad, high-frequency terms such as '管线', '工作流', '执行框架', and '任务分解', which can cause the skill to activate in unrelated conversations. Accidental invocation is dangerous because this skill can steer the agent into decomposition, tool use, and execution-oriented behavior even when the user did not intend to use it.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly allows high-impact actions such as file read/write, code execution, and external tool usage as part of normal pipeline execution, but it does not require user consent, scope limitation, or safety gating. In a broadly applicable orchestration skill, this significantly increases the chance of unsafe or unexpected side effects if the skill is triggered or delegated automatically.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The travel-planning example includes '预订执行' as an executable action, which can affect user funds, reservations, and third-party accounts, yet the skill provides no warning, approval checkpoint, or transaction safety policy. Because the document presents this as a standard pipeline pattern, it normalizes externally consequential actions without adequate consent controls.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The framework explicitly instructs activation when users say broad phrases like '帮我做一个XX领域知识参考库', which can overlap with ordinary help-seeking requests rather than a clearly scoped invocation. In an agent setting, this increases the chance of unintended skill activation, causing the model to switch into a heavy domain-generation workflow when the user may have intended a narrower request, which can override user intent or introduce unsafe context carryover.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger condition is very broad: any request to create a new knowledge base or domain payload can activate the skill. In a multi-skill environment, this increases the chance of unintended invocation, causing the agent to enter a generation-and-write workflow when the user may only want advice or planning. The surrounding context makes this more dangerous because the skill later instructs writing outputs to a directory, so overbroad activation can cascade into unintended file-generating behavior.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly states that generated output should be written to a specified directory, but it does not require an explicit warning, confirmation, or safe-path validation before modifying files. In agentic environments, silent file writes can overwrite existing content, create unauthorized artifacts, or be steered toward unsafe paths if directory selection is ambiguous or attacker-influenced.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal