Skill Generator

Security checks across malware telemetry and agentic risk

Overview

The skill’s main purpose is coherent, but its installer can persistently change agent behavior and fetch unpinned remote code, so users should review it before installing.

Install only after reviewing the installer and the exact files it will modify. Prefer manual, workspace-scoped installation over curl|bash or install-all, avoid broad auto-trigger bridge rules, and keep command execution approval enabled when using generated skills with scripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (38)

Tainted flow: 'skill_path' from input (line 296, user input) → open (file write)

Medium

Category: Data Flow
Content: goal=data['goal'], ) skill_path = os.path.join(skill_dir, 'SKILL.md') with open(skill_path, 'w', encoding='utf-8') as f: f.write(skill_content) created_files.append(('SKILL.md', 'Bộ não chính của skill'))
Confidence: 98% confidence
Finding: with open(skill_path, 'w', encoding='utf-8') as f:

Tainted flow: 'script_path' from input (line 310, user input) → open (file write)

Medium

Category: Data Flow
Content: name=name, ) script_path = os.path.join(scripts_dir, f'{name.replace("-", "_")}_helper.py') with open(script_path, 'w', encoding='utf-8') as f: f.write(script_content) created_files.append((f'scripts/{name.replace("-", "_")}_helper.py', 'Script hỗ trợ (template)'))
Confidence: 98% confidence
Finding: with open(script_path, 'w', encoding='utf-8') as f:

Tainted flow: 'resource_path' from input (line 321, user input) → open (file write)

Medium

Category: Data Flow
Content: resource_content = RESOURCE_TEMPLATE.format(title='Tài liệu tham khảo', name=name) resource_path = os.path.join(resources_dir, 'reference.md') with open(resource_path, 'w', encoding='utf-8') as f: f.write(resource_content) created_files.append(('resources/reference.md', 'Tài liệu tham khảo (template)'))
Confidence: 94% confidence
Finding: with open(resource_path, 'w', encoding='utf-8') as f:

Tainted flow: 'example_path' from input (line 332, user input) → open (file write)

Medium

Category: Data Flow
Content: example_content = EXAMPLE_TEMPLATE.format(title='Happy Path', name=name) example_path = os.path.join(examples_dir, 'example_happy_path.md') with open(example_path, 'w', encoding='utf-8') as f: f.write(example_content) created_files.append(('examples/example_happy_path.md', 'Ví dụ Happy Path (template)'))
Confidence: 94% confidence
Finding: with open(example_path, 'w', encoding='utf-8') as f:

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The code unconditionally finds any process bound to the requested port and sends SIGTERM before starting its own server. This can terminate unrelated local services owned by the same user, causing denial of service or disruption of developer tooling, especially because the port is user-controllable via --port and the behavior happens automatically.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The page imports executable JavaScript and other resources from external domains (Google Fonts and SheetJS CDN). That creates a supply-chain and privacy risk: if those third-party resources are compromised, changed, blocked, or observed, the viewer can execute untrusted code or leak reviewer access patterns and document context. In a local eval-review tool, this is more concerning because reviewers may open sensitive prompts and outputs in an environment expected to be self-contained.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The installer fetches remote content from a GitHub repository and copies it into local and global agent directories, which exceeds the narrow, stated purpose of helping create or improve skills. This creates a supply-chain and trust-boundary risk because the script installs whatever is currently in the remote repo without pinning a commit, verifying integrity, or clearly warning the user about the scope of host modifications.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script modifies instruction and configuration files for several agent platforms, including workspace files like CLAUDE.md, Cursor rules, Windsurf rules, and Copilot instructions. Because these files influence future agent behavior, silently appending or creating them can persistently alter model execution paths across projects and sessions in ways users may not expect.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The document broadly instructs agents to run system commands, access filesystems, call APIs, connect to databases, and deploy software, which materially expands capability beyond the stated purpose of creating or improving skills. In a skill-construction context, this overbroad enablement increases the chance that downstream generated skills will include unsafe execution patterns or be repurposed for harmful system actions.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: These sections provide concrete instructions for health checks and deployment against server environments, which are operational DevOps actions unrelated to merely creating a new skill. Because the skill is positioned as a skill generator, embedding deploy/runbook guidance can cause the agent to scaffold or recommend privileged infrastructure actions without sufficient contextual authorization.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The wrapper-script example encourages infrastructure interrogation using subprocess calls to database and Redis tooling, adding service-discovery and environment-inspection behaviors outside the skill's declared purpose. Even though presented as a simplification pattern, it teaches the agent to operationalize system checks that can expose sensitive runtime state or normalize privileged command execution.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The phrase "automate"/"automate this" is so broad that it can match many ordinary user requests and cause the skill to activate outside its intended scope. In a skill that can generate or modify other skills across platforms, accidental invocation increases the chance of unintended instruction takeover, confusing context switches, or unreviewed skill generation.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Presenting "automate this" as a natural-language auto-trigger without scope limits makes the trigger overly permissive and easy to collide with unrelated conversations. Because this skill orchestrates multi-phase generation and may influence files and platform-specific instructions, over-triggering is a meaningful security and safety risk rather than just a UX issue.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The natural-language examples normalize aggressive auto-activation from broad everyday requests, which can cause the skill to seize control in contexts where the user did not intend to build a reusable skill artifact. In an agent ecosystem, this broad matching can be abused by prompt content embedded in user data or third-party text to force activation paths the operator did not explicitly request.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The Vietnamese trigger guidance includes the generic phrase "tự động hóa," which is equivalent to a highly ambiguous activation cue. This broad phrase can cause unintended activation for ordinary automation discussions, making the skill easier to mis-trigger in multilingual contexts.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The Vietnamese activation examples are broad and omit negative examples or boundary conditions, which makes over-activation likely. Since this skill is a meta-skill that creates and exports other skills, accidental triggering can propagate unsafe or unintended instruction sets more broadly than a normal single-purpose skill.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad enough that the skill may activate for general requests about automation, improvement, or creating things, even when the user did not intend to invoke a powerful skill-construction workflow. Over-broad activation increases the chance of unintended file generation, permission use, or workflow steering in unrelated conversations.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: Instructing authors to make descriptions more 'pushy' systematically encourages over-activation rather than accurate routing. In a skill that can generate packages and potentially invoke code-adjacent capabilities, this raises the risk of accidental invocation and unsafe execution paths from loosely related user prompts.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The optimization phase explicitly pushes broader triggers without equally strong exclusion criteria, which can propagate unsafe activation patterns into skills produced by this meta-skill. That is especially risky because this skill is effectively a skill generator, so one bad design principle can be replicated across many generated artifacts.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The agent is instructed to write a JSON file to a path specified at runtime, but the skill text provides no warning, disclosure, or safety constraints around where data may be written. In an agent setting, this can enable unintended file creation or overwrite of user/workspace files if the output path is attacker-controlled or poorly validated, even though the content being written is relatively low risk.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The embedded manifest description explicitly says to use the skill whenever the user wants to do anything with PDF files and to trigger if a .pdf is merely mentioned. That kind of broad routing can cause inappropriate auto-selection, over-collection of user tasks into one powerful skill, and bypass of more specialized or safer handling paths.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list includes very generic phrases such as requests to 'commit' or 'format commit', which can overlap with normal conversation and cause the skill to activate when the user did not intend to invoke it. In this context, the skill reads staged Git diffs, so over-broad activation can expose repository metadata or code changes unnecessarily and lead to unintended command suggestions.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The installer removes any existing target directory with rm -rf before reinstalling, but it does so without a warning, backup, or interactive confirmation. If the target path already contains user-modified content or resolves unexpectedly, this can cause irreversible data loss.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script appends to or creates workspace configuration files such as CLAUDE.md without a prominent warning that it is modifying the current project. Because these files may be version-controlled or relied on by other tooling, silent overwrites/appends can introduce persistent behavior changes and unexpected diffs.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script clones or updates a remote repository and then installs its contents into local/global directories without an upfront warning about fetching remote content or explaining the trust implications. That behavior increases supply-chain risk because users may run the installer expecting only local setup, not remote retrieval and persistent installation.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal