Back to skill

Security audit

能够生成很多食谱的

Security checks across malware telemetry and agentic risk

Overview

This self-improvement skill is not malicious, but it persistently stores and shares conversation-derived learnings with too little guidance for protecting sensitive data.

Install only if you are comfortable with an agent writing durable learning logs and future prompt guidance. Keep it project-local, avoid global hooks unless needed, review hook scripts before enabling them, and require redaction of secrets, credentials, personal data, proprietary code, and raw transcripts before anything is logged or shared across sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The security section is internally inconsistent: the document configures these scripts as command hooks, and elsewhere instructs users to execute a script directly, yet claims the scripts 'don't modify files or run commands.' That misleading assurance can cause users to under-estimate the risk of enabling automatic shell-executed hooks, reducing scrutiny of what those scripts actually do.

Vague Triggers

Medium
Confidence
95% confidence
Finding
An empty matcher causes the UserPromptSubmit hook to run for every prompt, creating broad automatic execution of a local shell command. While this is presented as convenience, it expands attack surface and makes any unsafe behavior in the hook script trigger continuously across normal usage.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The user-level configuration enables the hook globally from the home directory without meaningful scope constraints. That broad persistence increases risk because the command can execute across unrelated projects and sessions, potentially exposing more data and normalizing always-on shell hook execution.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup instructions tell users to place command hooks into agent settings but do not prominently warn that matching events will execute local shell commands automatically. Omitting that warning is dangerous because users may treat the configuration as passive metadata rather than active code execution tied to prompts and tool events.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The guidance in SOUL.md to 'avoid unnecessary caveats and disclaimers' can weaken an agent's safety posture by biasing it away from communicating uncertainty, limits, or risk conditions. In a prompt-injected workspace system, this is especially dangerous because it can suppress warnings when the model encounters unsafe instructions, ambiguous actions, or security-sensitive operations.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill encourages persistent storage of learnings and cross-session sharing of conversation-derived content without any minimization, consent, or sensitivity filtering. That creates a realistic risk of sensitive prompts, secrets, internal URLs, credentials, or personal data being copied into durable files and propagated beyond the original session.

Ssd 3

High
Confidence
97% confidence
Finding
The template explicitly instructs the agent to record full context, inputs, parameters, and user context into persistent markdown files. In practice, those fields commonly contain API keys, secrets in CLI arguments, proprietary source snippets, customer data, or incident details, making plaintext retention and later reuse highly dangerous.

Ssd 3

High
Confidence
96% confidence
Finding
Presenting transcript reading and inter-session message passing as normal mechanisms for sharing learnings enables sensitive content to spread across sessions and agents that were not part of the original trust boundary. This materially increases exposure because entire transcripts often contain credentials, code, debugging output, and user-specific context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.