Back to skill

Security audit

Lesson

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it claims, but it has enough local side effects and packaging/privacy issues that users should review it before installing.

Install only if you want a skill-development and evaluation workflow. Before running it, review the included hidden memory and unrelated daily-menu files, avoid packaging folders that may contain dotfiles, logs, credentials, or private notes, and be aware that eval helpers may use your Claude CLI session, create temporary .claude command files, launch local viewers, and terminate a conflicting local port.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

High
Confidence
90% confidence
Finding
The skill is framed to create, edit, benchmark, and optimize other skills, and the body repeatedly encourages expansive invocation across loosely related requests. Overbroad triggering is dangerous because once invoked, this skill can cause shell execution, filesystem writes, background processes, and benchmarking workflows in situations where the user may have only wanted normal assistance, leading to unnecessary high-privilege actions.

Vague Triggers

High
Confidence
96% confidence
Finding
The instructions explicitly tell authors to make descriptions 'pushy' and to trigger even when the user does not explicitly ask for the skill. That directly increases accidental invocation risk and can route ordinary conversations into a workflow that performs file operations, runs scripts, and starts persistent background processes without a proportionate need.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The file defines two materially different operating modes—post-hoc comparison analysis and benchmark pattern analysis—but does not provide a strict, machine-checkable routing condition or mutually exclusive schema. An agent receiving mixed or partial inputs could execute the wrong mode, produce the wrong output format, or blend instructions from both sections, which can corrupt evaluation artifacts and mislead downstream automation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad everyday phrases like '菜单' and '菜谱推荐', which can cause the skill to activate in conversations where the user did not specifically request this workflow. Over-broad triggering can lead to incorrect routing, user confusion, and unintended invocation of file-reading and response logic, especially in multi-skill environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically kills whatever process is bound to the requested port before starting its server, without confirming ownership or obtaining explicit user consent at execution time. In a skill/agent context this is more dangerous because running the tool can terminate unrelated local services, causing denial of service or data loss if the killed process was important.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The viewer converts spreadsheet data into HTML with `XLSX.utils.sheet_to_html(...)` and injects it via `wrapper.innerHTML = htmlStr`. If uploaded or embedded spreadsheet cell content contains HTML/script-capable payloads, this can lead to DOM XSS or UI injection in the review interface, especially because this tool displays untrusted eval outputs. In this skill context, outputs may be adversarial by design, which makes rendering generated content as raw HTML more dangerous than in a typical trusted document viewer.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.