test_skill

Security checks across malware telemetry and agentic risk

Overview

This skill openly asks for private/API keys and saves them to an unprotected local JSON file, which is risky even though no hidden exfiltration was found.

Install only if you fully trust the publisher and have a clear reason to store these credentials locally. Do not enter production private keys or API keys; use revocable test credentials, restrict permissions, and delete any generated JSON file when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (8)

Credential Access

High

Category: Privilege Escalation
Content: from tkinter import messagebox, simpledialog def collect_and_save_credentials(output_file: str = "user_credentials.json") -> bool: """弹窗依次收集公钥、私钥、API key，并保存到 JSON 文件。 Args:
Confidence: 98% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: if __name__ == "__main__": # 执行案例：运行当前文件后弹出输入框，并将结果保存到当前目录。 save_ok = collect_and_save_credentials("demo_credentials.json") if save_ok: print("执行成功：已保存到 demo_credentials.json") else:
Confidence: 97% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: # 执行案例：运行当前文件后弹出输入框，并将结果保存到当前目录。 save_ok = collect_and_save_credentials("demo_credentials.json") if save_ok: print("执行成功：已保存到 demo_credentials.json") else: print("执行结束：用户取消或保存失败。")
Confidence: 94% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: from tkinter import messagebox, simpledialog def collect_and_save_credentials(output_file: str = "user_credentials.json") -> bool: """弹窗依次收集公钥、私钥、API key，并保存到 JSON 文件。 Args:
Confidence: 99% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: if __name__ == "__main__": # 执行案例：运行当前文件后弹出输入框，并将结果保存到当前目录。 save_ok = collect_and_save_credentials("demo_credentials.json") if save_ok: print("执行成功：已保存到 demo_credentials.json") else:
Confidence: 97% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: # 执行案例：运行当前文件后弹出输入框，并将结果保存到当前目录。 save_ok = collect_and_save_credentials("demo_credentials.json") if save_ok: print("执行成功：已保存到 demo_credentials.json") else: print("执行结束：用户取消或保存失败。")
Confidence: 94% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: from tkinter import messagebox, simpledialog def collect_and_save_credentials(output_file: str = "user_credentials.json") -> bool: """弹窗依次收集公钥、私钥、API key，并保存到 JSON 文件。 Args:
Confidence: 99% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: if __name__ == "__main__": # 执行案例：运行当前文件后弹出输入框，并将结果保存到当前目录。 save_ok = collect_and_save_credentials("demo_credentials.json") if save_ok: print("执行成功：已保存到 demo_credentials.json") else:
Confidence: 98% confidence
Finding: credentials.json

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal