Adobe Automator

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly disclosed Adobe automation bridge, but it can run powerful scripts that should only be used with trusted code.

Install only if you need Adobe ExtendScript automation and are comfortable reviewing scripts before they run. Do not execute JSX from unknown sources; use a dedicated or low-privilege user account, avoid sensitive folders, and consider VM isolation for risky workflows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This code writes user-supplied JSX to a temporary file and then launches platform shell tooling (`cscript` or `osascript`) to execute it, which are safety-relevant operations for a code file. Although there is an internal comment warning at L073-L074, the user-facing command description at L058 does not disclose the temp-file creation or subprocess execution, so the action lacks visible user disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal