Back to skill

Security audit

displayname-wk

Security checks across malware telemetry and agentic risk

Overview

This is a coherent skill-building helper whose file edits and packaging scripts match its stated purpose.

Install this only if you intend to create or maintain skills. Run the helper scripts against a specific working folder, review generated or modified files before packaging, and avoid including secrets or unrelated local files in any .skill package you share.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to run local scripts, edit files, delete generated content, and package artifacts, which implies shell, file read, and file write capabilities. Because no permissions are declared, the skill asks for privileged actions without transparent scoping, increasing the chance of overbroad execution and unsafe tool use in environments that rely on declared permissions for policy enforcement.

Self-Modification

High
Category
Rogue Agent
Content
1. Understand the skill with concrete examples
2. Plan reusable skill contents (scripts, references, assets)
3. Initialize the skill (run init_skill.py)
4. Edit the skill (implement resources and write SKILL.md)
5. Package the skill (run package_skill.py)
6. Iterate based on real usage
Confidence
89% confidence
Finding
write SKILL

Self-Modification

High
Category
Rogue Agent
Content
Any example files and directories not needed for the skill should be deleted. The initialization script creates example files in `scripts/`, `references/`, and `assets/` to demonstrate structure, but most skills won't need all of them.

#### Update SKILL.md

**Writing Guidelines:** Always use imperative/infinitive form.
Confidence
91% confidence
Finding
Update SKILL

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.