Cosin

Security checks across malware telemetry and agentic risk

Overview

The skill appears to use an API token for its stated integration, but its examples should handle that token more safely.

Install is reasonable if you need this integration, but avoid pasting real tokens into commands like `--key <token>`. Use a protected environment variable, stdin prompt, or secret manager where possible, and rotate any token that may have been exposed in shell history, logs, or CI output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill repeatedly instructs users to pass a bearer token via `--key <token>` directly on the command line. Secrets supplied this way are commonly exposed through shell history, terminal logging, process listings, and CI/job telemetry, so the guidance increases the chance of credential disclosure even though it also says to treat the token as sensitive.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal