Subagent Orchestrator (汪哈哈版)

Security checks across malware telemetry and agentic risk

Overview

This is a genuine task-orchestration skill, but it asks for broad automation powers and has under-scoped persistence, messaging, and activation behavior users should review carefully.

Install only if you want a skill that can manage complex tasks by creating persistent local workspaces, spawning subagents, running shell commands, and sending progress/results back to the channel where the request began. Before using it for sensitive work, confirm the workspace path, notification destination, what content may be written to memory, and whether cleanup or cron scheduling is enabled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill is presented as an orchestration/task-decomposition helper, but it also embeds automatic outbound messaging behavior, including real-time WeChat/user-channel pushes. That expands its effective privileges from internal coordination to external communication, creating a risk of unreviewed data disclosure, spam, or exfiltration of task contents to third-party channels.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The cron-based session cleanup feature is unrelated to the stated orchestration purpose and grants persistent scheduled execution capability beyond what users would reasonably expect from this skill. Unrelated privileged behaviors increase attack surface and can be abused to create persistence or perform actions after the original task context has ended.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill directs shell/exec usage for filesystem setup, diffing, and outbound messaging, which goes beyond pure orchestration and introduces direct side effects on the host and external systems. Combining orchestration logic with broad exec capability makes prompt-driven misuse more dangerous, especially when task inputs may influence paths, commands, or delivery targets.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The listed trigger phrases are ambiguous natural-language terms that could be matched during normal conversation, causing accidental invocation. In a high-privilege skill, accidental activation can lead to unexpected file writes, session spawning, or data retention without clear user awareness.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The listed trigger phrases are ambiguous natural-language terms that could be matched during normal conversation, causing accidental invocation. In a high-privilege skill, accidental activation can lead to unexpected file writes, session spawning, or data retention without clear user awareness.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill mandates real-time progress pushes to WeChat and other user channels without a clear user-facing privacy warning about what data may be transmitted externally. This is dangerous because task details, file names, intermediate outputs, or sensitive metadata could be disclosed to third-party messaging platforms without informed consent.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger words are broad enough to match normal user discussion about task planning, complex work, or context limits, which can cause the skill to activate when the user did not explicitly request this orchestration behavior. In an agent skill, overbroad activation expands the skill's control surface and may reroute workflows, create unintended subtask decomposition, or alter execution patterns without clear consent.

Natural-Language Policy Violations

Medium

Confidence: 82% confidence
Finding: The metadata and trigger words are primarily Chinese-language without any documented locale gating or user-language negotiation, so the skill may preferentially activate or steer interaction in Chinese even when the broader environment or user expectation is different. This is mainly a safety and usability issue, but in orchestration contexts it can also increase the chance of misunderstood instructions, incorrect delegation, or hidden behavior if reviewers and users do not share the same language context.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The skill instructs broad persistence of task data, status, and results into shared files and later aggregation into final delivery artifacts. Persisting all user-provided and generated content by default increases the risk of retaining secrets, regulated data, or unnecessary sensitive context beyond the immediate need of the task.

Ssd 3

Medium

Confidence: 83% confidence
Finding: The memory policy explicitly stores user decisions and preferences for future automatic reuse, which creates durable profiling and reuse of user data beyond the immediate task. Without explicit consent, review controls, and retention limits, this can violate user expectations and propagate sensitive preferences into later workflows.

Ssd 3

Medium

Confidence: 81% confidence
Finding: Appending additional user instructions into persistent task files for later reuse can retain sensitive or context-specific directives longer than necessary. If those files are reused, read by subagents, or included in summaries, the system may unintentionally propagate private instructions or stale directives into future execution.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal