RAG Pipeline Starter

Security checks across malware telemetry and agentic risk

Overview

This RAG helper is coherent and locally scoped, with only a privacy caveat if users choose hosted embedding providers outside the included scripts.

Reasonable to install for local RAG experimentation. Use it only on data you are comfortable processing locally, and if you later wire in OpenAI, Cohere, or another hosted embedding service, assume document chunks may be sent to that provider and review privacy, consent, and redaction requirements first.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly recommends benchmarking embeddings on user data and lists paid third-party providers such as OpenAI and Cohere, but it does not disclose that document content may be transmitted to external services. In a RAG pipeline context, the input data often contains proprietary, regulated, or sensitive business documents, so omission of this warning can lead users to unintentionally exfiltrate data outside their trust boundary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal