Back to skill

Security audit

HR ArchSystem

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only HR design skill, but real employee evaluation data should be handled carefully.

Install this only for HR architecture and evaluation work. For real employees, use only data you are authorized to process, minimize personal details, keep reports in approved HR systems, define retention and access controls, and require human HR or manager review before using outputs for pay, promotion, ranking, or discipline.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger conditions are broad natural-language phrases such as general requests to build or update a competency model, which can overlap with ordinary HR discussion and cause unintended skill invocation. In an agent setting, overbroad activation can route user input into a specialized workflow without clear intent, increasing the chance of inappropriate data collection, irrelevant outputs, or policy bypass through accidental tool use.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to match ordinary HR requests, which can cause the skill to activate outside the user's intended context. In a system that handles promotion assessments and employee evaluation workflows, unintended invocation can lead to inappropriate collection or processing of sensitive personnel data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section instructs users to collect and use highly sensitive employee evaluation data, including behavioral evidence, peer feedback, and AI usage information, without an explicit privacy notice, consent boundary, retention rule, or warning about employment consequences. That creates real risk of overcollection, unauthorized sharing, and downstream use in compensation or promotion decisions without sufficient safeguards.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger conditions are broad enough to match common organizational questions such as '我们应该怎么组织', which can cause the skill to activate outside its intended context. In an agent environment, overbroad invocation can route unrelated user requests into HR architecture logic, leading to inappropriate actions, data handling, or misleading outputs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.