Back to skill

Security audit

Skill Taxonomy Router Pro

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed skill-routing and skill-management helper; it keeps local routing records and can download skills into an inbox, but the artifacts do not show hidden theft, deception, or destructive behavior.

Install only if you want a meta-skill that records local routing decisions and manages a skill index. Be deliberate before running the intake or cleanup scripts: intake can download external skills into a local inbox, and cleanup deletes that inbox folder.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
result['status'] = 'already-in-inbox'
    else:
        cmd = ['clawhub', 'install', args.skill_name, '--workdir', str(INBOX), '--force']
        proc = subprocess.run(cmd, text=True, capture_output=True)
        result['downloaded'] = proc.returncode == 0
        result['status'] = 'downloaded-to-inbox' if proc.returncode == 0 else 'download-failed'
        result['note'] = (proc.stdout + '\n' + proc.stderr).strip()[:4000]
Confidence
95% confidence
Finding
proc = subprocess.run(cmd, text=True, capture_output=True)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script irreversibly deletes a fixed directory using shutil.rmtree once invoked with --yes, with no additional safety checks, path validation, dry-run mode, or confirmation that the contents were created by this skill. In the context of a taxonomy/routing skill, destructive filesystem cleanup is not necessary to core functionality, so bundling it increases risk of accidental or unauthorized data loss if the script is run directly or triggered by automation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This skill is described as a taxonomy router/classifier, but the code performs external skill download and installation. That capability expansion is risky because it turns a classification helper into a software acquisition mechanism that can import untrusted skills into the workspace, increasing attack surface and violating least privilege.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation criteria are broad enough to match many ordinary situations involving task choice, downloaded skills, policy maintenance, or threat evaluation. In a skill-loading ecosystem, overbroad trigger language can cause this powerful meta-skill to be loaded frequently, increasing exposure to its file, shell, logging, and maintenance capabilities.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs default post-action logging of routing decisions, including intent, domain, subdomain, risk, selected skills, and optional reasons, without a user-facing notice or consent flow. Persistent metadata collection can expose sensitive task patterns and create privacy risks even if the logged content is not full task data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The usage-tracking section normalizes persistent storage of routing and usage data over time but does not clearly warn users that behavioral metadata is being retained. Because this is a meta-routing skill likely to observe many tasks, the accumulated logs can reveal workflows, priorities, and potentially sensitive operational patterns.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The backlog entry explicitly describes a skill that the agent 'should use this SILENTLY and AUTOMAT…', which normalizes hidden invocation without user awareness or consent. Even though this file is a prioritization report rather than executable code, embedding this guidance in routing/classification context can influence downstream agent behavior toward undisclosed data collection or memory operations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically downloads a skill when certain conditions are met, with no interactive confirmation or user-facing warning. In the context of a skill-routing tool, silent acquisition of external content is especially risky because users may expect analysis only, not modification of local state or introduction of new code.

Missing User Warnings

Low
Confidence
89% confidence
Finding
This script persists per-skill usage statistics to a local JSON file without any indication of notice, consent, retention controls, or minimization. Even though the data is not highly sensitive on its face, usage metadata can reveal operator behavior, installed capabilities, and workflow patterns, which creates a privacy and operational-security concern if the file is accessed by unauthorized parties.

Ssd 3

Medium
Confidence
93% confidence
Finding
The indexed description explicitly suggests preserving conversation continuity by extracting and archiving prompts across compaction cycles, which creates covert retention risk. Even in an index, this advertises a skill behavior that could retain sensitive user inputs beyond the user's expectation or consent, increasing privacy and data-governance exposure.

Ssd 3

Medium
Confidence
95% confidence
Finding
The description directs the agent to use memory silently and automatically, which creates a covert collection and retention channel. Silent persistence is dangerous because users may not realize their prompts or derived data are being stored, reused, or exposed to later tasks.

Context Leakage

High
Category
Data Exfiltration
Content
| pro | Z | Z4 | R2 | review-needed | backlog | Guide for creating effective skills. This skill should be used when users want to create a… |
| proactive-agent | Z | Z4 | R2 | review-needed | backlog | Transform AI agents from task-followers into proactive partners that anticipate needs and … |
| project-management-guru-adhd | Z | Z4 | R2 | review-needed | backlog | Expert project manager for ADHD engineers managing multiple concurrent projects. Specializ… |
| prompt-log | Z | Z4 | R2 | review-needed | backlog | Extract conversation transcripts from AI coding session logs (Clawdbot, Claude Code, Codex… |
| protonmail | A | A2 | R1 | read-only,retrieve | classified | Read, search, and scan ProtonMail via IMAP bridge (Proton Bridge or hydroxide). Includes d… |
| prowlarr | Z | Z4 | R2 | review-needed | backlog | Search indexers and manage Prowlarr. Use when the user asks to "search for a torrent", "se… |
| proxmox-full | D | D5 | R3 | write-remote,automation | classified | Complete Proxmox VE management - create/clone/start/stop VMs and LXC containers, manage sn… |
Confidence
90% confidence
Finding
Extract conversation

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.