ESG and Sustainability

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent ESG reporting skill, with no evidence of malware or hidden actions, but users should avoid providing unnecessary sensitive employee or business data.

Install only if you intend to use it for ESG or sustainability reporting. Prefer aggregated/anonymized employee metrics, avoid personal employee records unless necessary and authorized, and review outputs before sharing externally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger phrases are broad, everyday requests such as generating ESG reports or calculating emissions, which can cause accidental invocation outside a clearly scoped user intent. While not a code-execution issue, overbroad activation can lead to unintended processing of business-sensitive sustainability, governance, or workforce data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly collects enterprise energy, waste, and employee data, but provides no privacy notice, minimization guidance, retention limits, or handling rules for sensitive or personal information. In an ESG/CSR context, employee and governance data may include personal, confidential, or regulated information, increasing the risk of privacy violations or inappropriate disclosure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal