xtest

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent code-quality gate that may run tests and guide small fixes, with no hidden install code, persistence, credential handling, or data exfiltration found.

Install this if you want a strict pre-delivery testing workflow. Because it may run local validation commands and suggest limited fixes, invoke it deliberately for code delivery checks and review any proposed changes before accepting them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list includes broad phrases like '代码验证', '交付前检查', and '质量门禁' that can match many ordinary development or QA conversations, causing the skill to activate outside its intended context. In an agent environment, over-broad activation can unexpectedly inject gatekeeping behavior, alter workflows, or initiate validation steps when the user did not explicitly request this skill.

Natural-Language Policy Violations

Medium

Confidence: 80% confidence
Finding: The skill content is written entirely in Chinese and does not offer language negotiation or state that it only supports Chinese-speaking users. This can cause misinterpretation of instructions, incorrect execution, or hidden behavior for users and reviewers who do not understand the language, reducing transparency and increasing operational risk in multilingual environments.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal