ESG Sustainability Analyst

Security checks across malware telemetry and agentic risk

Overview

This is a simple ESG reporting skill with no executable code, persistence, or credential access, but users should treat company ESG inputs as confidential business data.

Before installing, consider whether you are comfortable giving the agent energy use, travel, waste, supplier, and ESG compliance data. Avoid pasting confidential company records unless the workspace and model/tool settings are approved for that use, and ask the agent to confirm before doing external research with sensitive context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill advertises automatic collection of carbon-emissions and related ESG data while declaring capabilities such as web_search and data_analysis, but it does not clearly disclose what external data access may occur, what business data may be processed, or what privacy/confidentiality risks apply. In an ESG context, users may provide or the skill may infer sensitive operational, supplier, travel, and emissions information; without explicit notice and consent boundaries, this can lead to unintended exposure of confidential corporate data or unauthorized external retrieval/processing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal