Movi Review-First Bundle

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local Movi MCP setup guide that emphasizes review-first inspection before any changes.

Install only if you intend to use a local Movi MCP workflow. Before running the setup, review the referenced movi-organizer repository and dependencies, replace the placeholder MCP path only with a trusted checkout, and keep patch or rule-apply tools gated behind explicit approval.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger phrase `movi` is extremely broad and is also the product name, so ordinary user discussion about Movi can unintentionally activate the skill. In an agent setting, accidental activation can steer the assistant into installation and MCP-connection guidance when the user only meant to mention the tool, increasing the chance of unnecessary tool-oriented actions or context hijacking.

Vague Triggers

Low

Confidence: 82% confidence
Finding: The `Use this skill when` section describes positive conditions but does not clearly define exclusion criteria or a firm activation boundary. That ambiguity can cause the agent to invoke the skill in adjacent situations, which is less severe here because the skill is review-first and discourages mutation, but it still broadens the chance of unintended workflow steering.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal