Back to skill

Security audit

Zoriy Prompt Engineer

Security checks across malware telemetry and agentic risk

Overview

This skill only generates technical prompts and has no evidence of installing code, reading files, using credentials, or running background actions.

Install this if you want technical prompts shaped around ClaudeKit Engineer and Context7 defaults. Review the generated prompt before passing it to another agent, especially for non-technical prompts or when you do not want those defaults included.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger description is very broad and includes generic phrases like "write me a prompt" and "create a prompt," which can match many ordinary requests outside the intended engineering scope. In an agent-routing system, this increases the chance the skill activates unexpectedly and injects its own defaults or instructions into unrelated workflows.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill imposes mandatory use of a specific mode/tooling stack ("ClaudeKit Engineer" and "Context7-enabled development") as non-optional defaults for every technical prompt. This can override user intent, bias downstream agent behavior, and cause unauthorized tool selection or dependency on external documentation/tooling without explicit user consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.