Hybrid Dev

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only development workflow skill that guides planning, Copilot handoff, and validation without hidden code or privileged behavior.

Safe to install as a workflow aid. Before using it, review anything you paste into Copilot or phase outputs and remove credentials, private keys, customer data, or confidential details; also be aware it may activate more often than intended in general development conversations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill metadata advertises broad triggers such as 'iteration', 'validation', and 'task pack', which are generic terms likely to appear in normal development conversations. This can cause the skill to activate outside the author's intended scope, injecting workflow instructions into unrelated sessions and increasing the chance of unintended behavior or prompt-scope interference.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal