skill-privacy-guard

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed privacy sanitizer for skill files, with over-editing risk but no evidence of hidden execution or data theft.

Install only if you want automatic privacy review of skill files. Keep version control or backups and review diffs before publishing, because broad sanitization rules can miss secrets or replace legitimate examples unnecessarily.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill is configured to auto-trigger after creating or editing any skill.md file, which is overly broad for a high-priority sanitizer that can read and rewrite files. This can cause unintended invocation on routine edits, creating opportunities for destructive or confusing modifications and making the skill hard to safely reason about in a multi-skill environment.

Vague Triggers

Low

Confidence: 87% confidence
Finding: The manual trigger phrase "clean up the skill" is ambiguous and likely to overlap with ordinary editing requests. That makes accidental activation plausible, which is risky because the skill is designed to alter file contents and remove data based on broad pattern matching.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal