Security audit

Autonomous Organization

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it asks agents to run broad autonomous work around the clock without clear user controls.

Install only in an agent environment where you can enforce approvals, scoped file access, visible logs, bounded schedules, resource limits, reviewed memory changes, and an easy way to stop spawned work. Avoid using it in sensitive workspaces unless those controls are already in place.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs use of spawned sub-agents to perform ongoing work, including file organization, documentation updates, memory maintenance, and system/security checks, but it does not provide user-facing guardrails, approval requirements, or limits on what those agents may modify. In an agentic environment, this can lead to unintended file changes, persistent state manipulation, or system-affecting actions occurring autonomously and repeatedly without adequate oversight.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal