Auto Building

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed content-aggregation setup skill, with the main caution that it runs an external npm project and can collect from arbitrary web sources.

Before installing, review the external GitHub repository and npm dependencies, preferably use a pinned commit or release, and configure only sources you are authorized to collect from. Keep human review enabled before publishing collected content, and add your own rate limits, robots.txt/TOS checks, and privacy/copyright controls for recurring collection jobs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly instructs users to configure external sources and run automated collection workflows, but it does not warn about legal, privacy, rate-limiting, robots.txt, or target-site impact. In a scraping-focused skill, that omission materially increases the chance that users deploy collection against third-party services in a non-compliant or disruptive way.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal