Back to skill

Security audit

JavaScript

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only JavaScript style guide with broad but disclosed activation and no evidence of code execution, data access, or persistence.

Install this if you want JavaScript answers shaped by this style guide. Be aware it may affect any request that mentions JavaScript, even casual or mixed-language requests, so disable it if you only want explicit style-guide help.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill declares that it "automatically activates" whenever JavaScript is mentioned or implied, which is an overly broad trigger for a prompt-based skill. This can cause unintentional invocation in unrelated contexts, increasing the chance that hidden prompt instructions override user intent, interfere with other skills, or shape responses when the user did not explicitly request this behavior.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill activates whenever a user mentions or implies 'JavaScript', which is a very common topic and lacks scope constraints. This can cause unintended activation during ordinary conversations, code review, or mixed-language tasks, leading the agent to apply hidden behavior or style constraints when the user did not explicitly request this skill.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The usage section states that simply mentioning 'JavaScript' automatically activates the skill, reinforcing a broad natural-language trigger with no boundary conditions. In agent systems, this increases prompt-scope collision risk and can override user intent by injecting style-guide behavior into unrelated or only tangentially related requests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.