Back to skill

Security audit

PRE Engineering Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PRE multi-agent workflow, but it asks users to run persistent agents that can edit code and mutate git history with limited per-action control.

Install only if you intentionally want a persistent multi-agent coding workflow in this repository. Start from a clean git state, review the generated .pre guides before launching loops, keep secrets and unrelated work out of scope, store job IDs carefully, and do not allow the reviewer agent to stash or commit unless you are comfortable with autonomous repository changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill authorizes creation of a user-specified code directory, which expands behavior beyond PRE document initialization into modifying the project structure. In context this is not overtly malicious, but it increases the write scope and could create unexpected directories or files in sensitive locations if path input is not constrained.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The guide directs the Executor to run shell commands for time retrieval and to manage persistent loop jobs using job IDs and cancellation commands, which exceeds a document-initialization skill's stated purpose and expands the agent's operational scope into system control. In an agent setting, these instructions can cause unintended command execution, background task persistence, and unauthorized process manipulation if followed automatically or copied into downstream automation.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The planner guide expands a document-initialization skill into operational control of background loop tasks, including starting, cancelling, and auto-deleting scheduled jobs. In an agent-skill context, embedding scheduler-management instructions can cause unintended persistent execution, unauthorized task control, or destructive cancellation behavior beyond the user’s expected scope.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The reviewer template grants shell and git execution duties to a role that is supposed to perform document/code review, expanding its authority from assessment into repository mutation. That creates unnecessary write-side effects and command execution capability, which can be abused or accidentally triggered to alter code state, stash data, or create commits without explicit user approval.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The guide instructs the reviewer to record loop job IDs and invoke scheduler-control commands, which extends the skill from document initialization into persistent task orchestration and process management. This broadens operational control and introduces a path for unauthorized persistence, cancellation, or manipulation of autonomous jobs outside the user's immediate intent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger conditions are broad enough to activate on generic collaboration-related requests, which can cause the skill to run when the user did not explicitly intend to initialize a PRE workflow. In this context, unintended invocation can lead to unnecessary project scaffolding, misleading workflow setup, and increased risk of writing coordination files into a repository without clear consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example trigger phrases include vague everyday language such as mentioning roles like 'Planner', 'Executor', or 'Reviewer', which may appear in many benign conversations unrelated to this skill. This increases the chance of accidental activation and can steer the session into a multi-agent initialization flow the user did not request.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README states that the skill generates multiple files in the project directory but does not prominently warn that it will create or modify files under a `.pre/` path. In a development environment, silent or poorly signposted file creation can alter repository state, confuse users, and interact with version control in ways that are unexpected or disruptive.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest trigger text is extremely broad and can activate on general discussion about AI collaboration rather than clear intent to initialize PRE files. That over-triggering matters because this skill can scan local files and write multiple project documents, so accidental invocation could expose project contents or cause unwanted workspace changes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs automatic scanning of README, package manifests, and other local files to infer requirements without a clear, upfront warning that local project files will be read. In this context, hidden or implicit file access is risky because users may not realize that invoking the skill can disclose repository contents to the agent.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The guide tells users to record job IDs in project docs or local notes without warning that these identifiers may enable control over running tasks. If those documents are shared, committed, or exposed, other parties could use the IDs to interfere with agent processes or glean operational details about the environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.