Back to skill

Security audit

Skill Creator Flagos

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed developer tool for creating and editing skill files, with broad trigger guidance that users should apply carefully.

Install this only if you want an agent to help create or modify skill files. Review proposed edits before accepting them, keep generated skill triggers narrow for sensitive workflows, and do not treat the unrelated crypto/purchase metadata tags as evidence that this artifact actually performs those actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger description is broad enough to activate on ordinary developer conversation such as 'improve this skill' or generic mentions of packaging workflows. Over-broad triggering can cause the agent to invoke a high-privilege skill unexpectedly, leading to unintended file modifications, scaffolding actions, or script execution in contexts where the user did not explicitly request them.

Vague Triggers

High
Confidence
96% confidence
Finding
The instruction to make descriptions trigger 'too often rather than too rarely' actively encourages authors to create over-broad activation logic. In a system where this skill has write and execution capabilities, that increases the chance of unintended activation and downstream privileged actions, including editing repository files or running local scripts without sufficiently specific user intent.

Self-Modification

High
Category
Rogue Agent
Content
## Overview

This skill guides you through the full lifecycle of skill development:
1. **Create** — scaffold a new skill from template, interview the user, write SKILL.md
2. **Improve** — analyze an existing skill, identify weaknesses, iterate with test cases
3. **Validate** — check structure, frontmatter, references, and conventions compliance
Confidence
84% confidence
Finding
write SKILL

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.