Skill Quality Check

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill that helps review the quality of other skills, with no hidden execution or credential access found.

Use this as a writing-quality checklist, not a security vetter. Audit only skill files you intentionally choose, treat any downloaded or reviewed SKILL.md as untrusted source text, and run a separate security review before installing third-party skills.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill activates on extremely common words like "PDF" or "document," which are likely to appear in many unrelated user requests. This can cause unintended activation, inject irrelevant instructions into normal conversations, and increase the chance the agent follows stale or low-quality guidance outside the intended scope.

Vague Triggers

Low

Confidence: 89% confidence
Finding: The examples teach users and the agent that vague prompts like "Help me with a PDF" or "Create a PDF" are sufficient to invoke the skill, reinforcing broad activation behavior. In context this is not directly malicious, but it normalizes ambiguous triggering and makes accidental invocation more likely across routine document-related conversations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal