Implicit Contract Defense

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Rust/SeaORM development-guideline skill with local helper scripts; its main risks are ordinary project-code execution and overwriting a chosen generated types file.

Install only for Rust/SeaORM projects where you want this contract-enforcement workflow. Review generated file paths before running gen_types.sh, because it runs the local Rust test/build flow and rewrites the specified frontend types file. Also fix or account for the Cancelled-status documentation mismatch before treating the examples as canonical.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The skill documents a valid state transition `Running → Cancelled`, but the earlier `TaskStatus` enum example does not define a `Cancelled` variant. In a skill whose core purpose is enforcing explicit contracts across boundaries, this mismatch is a genuine integrity risk: implementers may assume cancellation is supported while generated types, DB enums, and business logic do not actually encode it, leading to inconsistent behavior, failed deserialization, or unsafe ad hoc workarounds.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal