Skill Reviewer

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only skill-quality reviewer with one optional third-party install example users should treat cautiously.

Install this if you want a Chinese-language checklist-style reviewer for skills. When using it, provide only the specific SKILL.md or skill folder you intend to inspect, and do not run the optional `npx ... install` example unless you trust the source and explicitly want to install that separate skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill tells the agent/user to install a third-party skill via `npx molthub@latest install skill-name` while performing a review task, which exceeds the minimum access needed to inspect a skill and introduces unnecessary code-fetching and execution risk. In a security-review context, normalizing installation of untrusted packages or skills is especially risky because the target content is itself potentially adversarial.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal