reky

Security checks across malware telemetry and agentic risk

Overview

This is a prose-only productivity skill for coding workflows, with broad automation language but no executable code, credential handling, persistence, or hidden behavior.

Safe to install as an instruction-only productivity helper. Because it mentions scaffolding, formatting, automation, and deployment, review any generated file changes, scripts, build commands, or deploy steps before allowing an agent to run them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation text is very broad and invites generalized 'personalized coding assistance' without defining clear triggers, scope limits, or approval boundaries. In a skill that also references scaffolding, automation, and deployment, vague activation increases the chance the agent will apply the skill in unintended contexts and influence actions with system or project impact.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill advertises workflow automation and deployment-related assistance but provides no warning that these activities can modify files, change environments, or affect live systems. Without cautionary language or approval gates, users may invoke the skill expecting harmless assistance while the agent is steered toward actions with operational consequences.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal