Huo15 Karpathy Guidelines

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coding-guidance skill, with the main concern being broad trigger phrases that could activate it unexpectedly.

Review whether you want a coding-style skill that may activate on generic Chinese phrases for behavior or programming standards. The available evidence does not show hidden execution or data access, but narrower trigger wording would make activation more predictable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrase at line 25 ("行为规范") is broad and generic, so it can match many unrelated user requests and cause this skill to activate unexpectedly. Unintended invocation can distort agent behavior by injecting this skill's guidance when the user did not ask for it, reducing predictability and potentially interfering with higher-priority instructions.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrase at line 28 ("编程规范") is highly generic and likely to collide with many ordinary programming conversations. This increases the chance of accidental skill activation, which can unexpectedly steer the agent's response style or workflow without explicit user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal