Back to skill

Security audit

TypeScript

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only TypeScript style guide with no code execution, credentials, persistence, or hidden behavior found.

This skill appears safe to install as coding guidance. Be aware it may activate whenever TypeScript is discussed, and review any generated code or configuration before using it in a real project.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill is configured to activate whenever a user merely mentions or implies TypeScript, which is an overly broad trigger for a prompt-based capability. This can cause unintended activation during ordinary discussion, leading the agent to inject style-guide behavior or additional instructions into unrelated tasks, increasing prompt-scope confusion and the chance of unsafe or undesired assistance.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill declares activation whenever the user says or implies 'TypeScript', which is an overly broad trigger for a common programming term. This can cause unintended activation in unrelated conversations, increasing the chance the agent follows this skill when the user did not explicitly request it and creating prompt-routing confusion or policy overshadowing.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The usage section says to 'Simply mention TypeScript' for activation, reinforcing a vague natural-language trigger that can fire on ordinary references rather than clear requests. In an agent environment, this broad matching makes accidental skill invocation more likely and can interfere with correct skill selection or cause the skill to steer responses unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.