Back to skill

Security audit

Roast Chef 💀

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed comedy-roast assistant; its main risk is unexpectedly harsh or Chinese-language feedback, not hidden system access.

Install this only if you want intentionally sharp comedic feedback. Use explicit roast prompts, and be careful in ordinary critique or professional review workflows because generic phrases may trigger a harsher tone than expected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes very generic phrases such as 'rate my', 'critique', and 'call me out', which can match many normal user requests that are not asking for this specific skill. That can cause unintended activation, leading the agent to produce insulting or inappropriate roast-style content in contexts where the user expected neutral help.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill body is primarily written as mandatory Chinese operating instructions ('你是谁', '核心原则', '模式切换') without clear user opt-in, even though metadata suggests mixed-language usage. This can override the user's expected language and cause the agent to respond in Chinese or follow Chinese-only behavioral framing unexpectedly, reducing usability and increasing the chance of confusing or policy-inconsistent outputs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.