Security audit

blueprint

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it can move from planning into code changes and tells the agent not to pause once implementation starts, so it needs careful review before use.

Install only if you want a strict requirements, RFC, and implementation workflow. When invoking it, explicitly say whether you want “only Spec/RFC” or whether code changes are authorized, and require the agent to pause for new ambiguity, safety issues, permission changes, or scope changes despite the skill’s no-pause wording.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill is presented as a requirements/specification workflow, but its instructions explicitly continue into direct implementation after user confirmation. This creates a capability mismatch: users or routing logic may invoke it expecting analysis-only behavior, while the skill is authorized to modify code and continue execution beyond the advertised scope.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The manifest advertises a five-stage workflow ending at Validation, but the body adds a mandatory implementation phase. This inconsistency can mislead users, orchestrators, or policy layers about the true operational scope of the skill and weaken safeguards that depend on accurate phase definitions.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger conditions are extremely broad and match many normal requests such as 'help me think through how to do this' or 'write a technical plan.' Over-broad activation increases the chance this powerful workflow is invoked unintentionally, which is especially risky because the skill later escalates into implementation by default.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger set is broad and overlaps with many normal engineering requests such as design discussions, refactoring planning, and implementation brainstorming. This can cause the skill to activate outside its intended scope, leading to prompt hijacking of unrelated tasks, unnecessary workflow insertion, or capture of conversations that were not meant to invoke this skill.

Ssd 1

Medium

Confidence: 95% confidence
Finding: The instruction that the assistant must not pause once implementation starts attempts to override normal interaction and safety boundaries. In practice, this can pressure the agent to keep acting through ambiguity, errors, or missing approvals, increasing the risk of unintended code changes or unsafe autonomous behavior.

Ssd 1

High

Confidence: 98% confidence
Finding: Requiring 'reasoning before conclusions' is effectively an instruction to expose internal chain-of-thought. That is dangerous because it conflicts with secure model operation, can leak hidden deliberative content, and may provide attackers with extra material to manipulate model behavior or infer protected decision processes.

Ssd 1

High

Confidence: 98% confidence
Finding: The mandated pre-question analysis format explicitly requires disclosure of internal analysis before user interaction. This creates a systematic chain-of-thought exfiltration path embedded in the skill itself, which is especially problematic because it applies repeatedly during elicitation cycles.

Ssd 1

High

Confidence: 97% confidence
Finding: The validation stage again requires presenting detailed reasoning across 'good enough' dimensions, reinforcing repeated disclosure of internal deliberation. Repeated reasoning-exposure requirements increase the chance of sensitive policy leakage and create reusable prompts for extracting hidden model processes.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal