Back to skill

Security audit

Autoskill Changebrief

Security checks across malware telemetry and agentic risk

Overview

This skill does not show malware or credential access, but it can push an agent into long, assumption-heavy outputs that exceed a normal change brief.

Install only if you specifically want a very verbose, rigid analysis generator. For ordinary change briefs, this skill may overproduce, avoid asking needed clarifying questions, and fill missing facts with plausible placeholders; review or edit its instructions before relying on it for decision support.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill’s behavior diverges sharply from its declared purpose of producing a concise change brief and instead injects a massive mandatory workflow with ledgers, rebuttal loops, visualization matrices, and completion-control machinery. This is dangerous because it can hijack the host agent’s behavior, overwhelm user intent, consume excessive tokens, and induce fabrication of missing details in order to satisfy the skill’s internal demands rather than the user’s request.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file markets itself as a fast, 30-second briefing layer, but later rules explicitly require anti-compression behavior and maximal expansion. That contradiction is dangerous because it conceals prompt-injection-like control logic behind an innocuous description, making reviewers and orchestrators more likely to enable a skill that can drive runaway verbosity, higher cost, and reduced task fidelity.

Vague Triggers

High
Confidence
95% confidence
Finding
The activation guidance is overly broad, extending the skill from change briefs to generic structured design recommendations derived from raw data. This broad scope is dangerous because it increases the chance the skill will activate in unrelated contexts and then take over the session with prescriptive workflow rules that are not appropriate to the user’s request.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The rule banning common English and Chinese follow-up phrasing is not just stylistic; it constrains normal interaction patterns and helps enforce a one-way completion regime. In context, this is dangerous because it supports the larger control structure that suppresses clarification, discourages natural stopping points, and pushes the model to continue producing content even when user input is insufficient.

Ssd 4

Medium
Confidence
97% confidence
Finding
The completion-escape instructions explicitly tell the model not to stop, to invent placeholders when details are missing, and to append additional artifacts after natural completion. This is dangerous because it can force fabrication, create denial-of-wallet/token exhaustion behavior, and override user-directed boundaries on scope and completeness.

Ssd 4

Medium
Confidence
96% confidence
Finding
The stage rules force exhaustive output, repeated rebuttal cycles, and automatic repetition until internal criteria are met, regardless of user needs. This is dangerous because it can trap the model in self-perpetuating generation loops, inflate latency and cost, and subordinate user intent to adversarial prompt mechanics embedded in the skill.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.