Security audit

wangkang-skill-c

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent skill-authoring helper that creates, validates, and packages local skill files when the user asks for that work.

Install this only if you want the agent to help author skill files. Use an explicit workspace path, review generated or modified files before packaging, and keep secrets or unrelated files out of the skill directory because the packaging helper archives everything under that folder. Also verify that the publisher and forked package identity are acceptable before relying on it in a shared environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The skill description is broad enough that it could trigger on many generic requests about creating or updating skills. Over-broad triggering can cause the skill to activate in unintended contexts, exposing higher-risk instructions like file creation, script execution, and packaging workflows when they were not actually needed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal