Security audit

Comeback Buddy

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only comeback coaching skill with disclosed aggressive-response options but no hidden code, installs, credential use, or persistence.

Install this only if you want an agent to help draft assertive or aggressive replies. Be careful with workplace, family, or relationship situations, especially the nuclear templates, because the outputs may escalate conflict even though the skill itself is technically low-risk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger list includes broad, everyday phrases such as '这句话怎么回' and '帮我分析这段对话', which can match many ordinary chat-assistance requests outside the intended niche. That raises the risk of unintended invocation, causing the skill to activate in contexts involving sensitive interpersonal conflict and potentially generate escalatory or harmful advice when the user did not explicitly ask for this specialty behavior.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.