查询目录

Security checks across malware telemetry and agentic risk

Overview

This is a narrow skill that lists customer folder names from one disclosed local Windows directory, with privacy considerations but no hidden or destructive behavior.

Install only if you want the agent to reveal the names of folders under E:\work\custom. Do not install it on machines where that path contains confidential customer names the agent should not see, and consider using an explicit invocation phrase or confirmation before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrases are broad, generic terms about customers and are likely to match ordinary user conversation rather than a clearly intentional invocation. That can cause the skill to run unexpectedly and disclose the names of client directories from a local filesystem, which may reveal sensitive business relationships or internal organizational data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal