skill-tester-cn

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate-looking skill tester, but it may actually run other skills or their scripts without clear safety limits.

Install only if you are comfortable with a tester that may exercise another skill's real behavior. When using it, direct the agent to simulate or dry-run tests unless you explicitly approve real execution, and avoid running it against skills that can delete files, spend money, publish content, or access sensitive accounts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The skill instructs saving a generated report into the current working directory without any explicit user warning or confirmation. This can create unintended files, clutter repositories, or modify sensitive directories if the skill is run from an important project path, especially because the write target is derived from the tested skill name and timestamp.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal