helword

Security checks across malware telemetry and agentic risk

Overview

This is a simple greeting skill with broad auto-invoke triggers, but no evidence of sensitive access, persistence, or harmful behavior.

Install this if you want a basic greeting demo skill. Be aware that because auto-invoke uses common words like hi and hey, it may occasionally run when you intended a normal conversation or another skill to handle the message.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The greeting trigger regex is broad enough to match very common conversational text such as 'hi' or 'hey', which can cause the skill to auto-invoke in many unrelated interactions. In an auto_invoke skill, this creates routing collisions and unintended execution, reducing reliability and potentially overshadowing more appropriate skills.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The self-introduction trigger pattern matches vague phrases like 'introduce' or 'about yourself' without clear scoping, so it may activate on unrelated discussion or user text that merely contains those words. Because the skill only returns a harmless greeting, the security impact is limited, but it still creates unintended invocation and interference with normal assistant behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal