جاك العلم

Security checks across malware telemetry and agentic risk

Overview

This is a shopping research skill with scoped web research and report generation, with one minor disclosure issue about external font loading.

Use this for shopping research and recommendations, not purchase authorization. Do not provide store logins, payment details, banking information, or unnecessary personal data, and verify seller reputation, warranty, delivery, return terms, and current price before using generated buy links. If privacy-sensitive or offline reports matter, remove or localize Google Fonts and avoid remote product images.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The template imports Google Fonts from external CDNs while the design notes explicitly claim there are no external dependencies and that the report works offline. This creates an unadvertised network dependency that can leak metadata such as client IP/user agent when the HTML is opened and can also break rendering in offline or restricted environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal