Jarvis Api Contract Guard 01

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only planning skill with a real quality mismatch, but it does not request code execution, credentials, persistence, or sensitive access.

Safe to install as a generic planning aid, but do not rely on it alone for API backward-compatibility review. For contract work, explicitly ask for schema diffs, breaking-change classification, versioning/deprecation review, consumer impact checks, and compatibility test evidence.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The manifest claims this skill designs and verifies API contracts for backward compatibility, but the body only provides a generic project-execution playbook. This mismatch can cause the agent to invoke the skill in API-governance contexts and then return outputs that omit contract-specific checks such as schema diffing, versioning rules, breaking-change detection, and compatibility validation.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The description is broad enough to match general development work, not just API contract tasks. That increases the chance of unintended activation, where a generic skill is selected in place of a more appropriate specialized skill, leading to incomplete or misleading guidance.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The body presents a generic reusable workflow inconsistent with the specialized API-contract-focused name. In context, this makes the skill more dangerous because users and orchestrators may trust the specialized label while receiving guidance that lacks domain-specific safeguards.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The example prompts are phrased so generally that they overlap with ordinary planning and execution requests. This broadens trigger conditions and can cause the skill to activate outside its intended domain, compounding the mismatch between advertised purpose and actual behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal