Security audit

pm

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward project-management skill that creates planning/status files and guides development work, with no hidden code, credential use, or external data flow found.

Install this only in a project where you want the agent to manage planning documents, edit code, run local tests, and keep status/error logs. Review ARCHITECTURE.md, TASK_TRACKER.md, ERROR_LOG.md, and code changes before approving continued work.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to create project files in the repository root as part of its normal workflow, but it does not require notifying the user or obtaining consent before making filesystem changes. This can cause unexpected writes, pollute an existing workspace, or modify sensitive projects in ways the user did not authorize.

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The skill mandates writing failures to ERROR_LOG.md, which is another automatic filesystem side effect not clearly disclosed to the user. Even though the impact is lower than broader project file creation, it still introduces unapproved file writes and may leak operational details into the repository.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal