Summary
The automate-this skill's SKILL.md file (added in #930) is being flagged and automatically removed by ESET Security antivirus software as a potential threat (false positive).
Environment
- OS: Windows 11
- Antivirus: ESET Security (productState: 266240, active protection)
- File path:
%LOCALAPPDATA%\copilot\marketplaces\github-awesome-copilot\skills\automate-this\SKILL.md
- Behavior: The entire
automate-this/ folder is removed on detection. All other skill folders (~280) are unaffected.
Root Cause Analysis
The SKILL.md file contains a high density of embedded shell commands that trigger ESET's heuristic detection engine:
| Pattern |
Context in SKILL.md |
Why it triggers |
uname -a, tool enumeration loop |
Phase 3 (Environment Fingerprint) |
Looks like system reconnaissance |
chmod 700, mktemp -d |
Phase 1 (Frame Extraction) |
Restricted temp directory creation |
rm -rf "$WORK_DIR" |
Cleanup section |
Destructive file operation |
ffmpeg/ffprobe extraction |
Phase 1 |
Media extraction (surveillance-adjacent) |
smtplib, credential/keychain references |
Phase 4 (Automation Strategies) |
Credential access patterns |
Individually these are benign, but combined in a single text file they exceed the heuristic threshold for "script-based threat template."
Impact
Users with ESET (or potentially other heuristic-heavy AV solutions) will have this skill silently removed, with no indication of why. The skill cannot be used without manually adding an AV exclusion path.
Suggested Mitigations
- Documentation: Add a note to the skill or README that AV software may flag this file, with instructions for adding exclusion paths.
- Content restructuring (optional): Consider moving the shell command examples into a separate file or reducing the density of security-sensitive patterns in the main SKILL.md.
- VirusTotal check: Consider scanning the file on VirusTotal to identify which AV engines flag it, and submit false positive reports to those vendors.
Reproduction
- Install ESET Security on Windows
- Sync/install awesome-copilot skills via Copilot marketplace
- Observe that
automate-this/ folder is removed by real-time protection
Summary
The
automate-thisskill'sSKILL.mdfile (added in #930) is being flagged and automatically removed by ESET Security antivirus software as a potential threat (false positive).Environment
%LOCALAPPDATA%\copilot\marketplaces\github-awesome-copilot\skills\automate-this\SKILL.mdautomate-this/folder is removed on detection. All other skill folders (~280) are unaffected.Root Cause Analysis
The SKILL.md file contains a high density of embedded shell commands that trigger ESET's heuristic detection engine:
uname -a, tool enumeration loopchmod 700,mktemp -drm -rf "$WORK_DIR"ffmpeg/ffprobeextractionsmtplib, credential/keychain referencesIndividually these are benign, but combined in a single text file they exceed the heuristic threshold for "script-based threat template."
Impact
Users with ESET (or potentially other heuristic-heavy AV solutions) will have this skill silently removed, with no indication of why. The skill cannot be used without manually adding an AV exclusion path.
Suggested Mitigations
Reproduction
automate-this/folder is removed by real-time protection