子代理任务拆分 + Superpowers

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for organizing subagent work; its behavior is mostly clear and purpose-aligned, with some privacy hygiene to consider around temporary task files and forum notes.

Before installing, confirm where forum traces are written and avoid including secrets or sensitive user data in task briefs. If you use this in a shared system, prefer cleaning /tmp/tasks regularly or adapting the workflow to a private per-user directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 93% confidence
Finding: The skill mandates creating Task Brief files under /tmp/tasks for every spawned subagent without any disclosure to the user or guidance on handling sensitive content. This can cause unintended persistence of user prompts, secrets, or task context in a shared or inspectable temporary location, especially on multi-user systems or environments where /tmp is broadly accessible.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal