Back to skill

Security audit

Environmental Compliance Manager

Security checks across malware telemetry and agentic risk

Overview

This appears to be a documentation-only environmental compliance helper, with relevant but potentially sensitive facility questions users should answer carefully.

Install is reasonable for compliance planning, but treat facility operations, hazardous materials, violations, exact locations, and financial details as sensitive. Share only the minimum needed, redact facility identifiers when possible, and do not provide credentials, secrets, regulated records, or security-sensitive site details unless your organization has approved that use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
90% confidence
Finding
The README encourages users to submit facility type, location, and operational details without warning that these may include sensitive business, safety, or regulated environmental information. In this context, facility operations, waste streams, emissions sources, and site details can materially increase security and confidentiality risk if users over-share, especially for critical infrastructure or regulated sites.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly solicits sensitive operational and business information such as facility location, chemicals used, waste generated, permit status, inspection history, violations, employee count, and revenue without any warning about confidentiality, data minimization, or secure handling. In an environmental compliance context, this data could reveal regulatory weaknesses, hazardous materials presence, and commercially sensitive details that could be misused if logged, shared, or exposed to third parties.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.