Webhook Receiver Pro

Security checks across malware telemetry and agentic risk

Overview

This is a coherent webhook helper that stores received event data locally, with no evidence of hidden exfiltration or destructive behavior.

Install only if you are comfortable with webhook headers and payloads being saved locally in webhook_logs.json. For production or sensitive webhooks, add redaction for authorization/signature headers, limit retention, and confirm before exposing any local HTTP listener.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The activation phrase includes the generic term "hook," which is broad enough to match ordinary conversation and may trigger the skill unintentionally. In a skill that can receive, log, and process webhook data, accidental invocation increases the chance of unintended local service exposure or unintended handling of event data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly persists webhook events to a local JSON file, including headers and parsed payload content, but does not warn users that potentially sensitive incoming data will be stored. Webhook payloads often contain tokens, identifiers, message contents, or operational metadata, so silent retention can create privacy, compliance, and local secret-exposure risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal