Back to skill

Security audit

Project Doc Analyst

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed project-documentation skill that reads a chosen repository and writes docs, with no executable code or hidden install behavior.

Install this if you want full-project documentation. Before using it, clearly specify the target repository and output directory, and do not point it at projects with secrets or sensitive material unless you are comfortable with that information being summarized in generated docs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list is very broad and includes generic phrases like '生成文档', '代码分析', and '分析这个项目', which can match ordinary requests that were not meant to invoke this powerful repo-reading skill. That increases the chance of unintended activation, causing the agent to over-collect context, perform unnecessary repository-wide analysis, or override a user's narrower intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.