Jarvis Ci Flake Hunter 01

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a harmless planning template, but it is broader and less specific than its flaky-test name suggests.

Install only if you want a generic planning/checklist workflow for development tasks. If you specifically need flaky-test hunting, expect to supplement it with concrete CI triage steps such as reproduction loops, seed/time isolation, quarantine criteria, and verification commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest and description claim a specialized flaky-test isolation skill, but the body is only a generic project execution template. This mismatch can cause the orchestrator or user to invoke the skill for CI/test reliability work while receiving broad, non-specialized guidance, increasing the chance of incorrect automation, misplaced trust, and unsafe over-application.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The manifest description is broad enough to match generic development work instead of a narrowly scoped flaky-test use case. Over-broad routing criteria can cause unintended activation, letting this skill override more appropriate specialized skills and producing irrelevant or misleading recommendations in security- or reliability-sensitive contexts.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The line 'Deliver a concrete, reusable workflow for development tasks' is generic and effectively repurposes the skill into a catch-all execution framework. In a skill ecosystem, this increases prompt-squatting risk because common requests may activate this skill even when the user did not ask for flaky-test analysis, reducing reliability and potentially masking better-scoped tooling.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The example prompt uses commonplace phrasing about turning notes into a production-ready plan, which is unrelated to flaky-test isolation and likely to match many benign user requests. Example prompts strongly influence activation behavior, so this broad language materially increases accidental invocation and scope drift.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal