gdpr-complianceGDPR合规自GDPR合规自动化引擎动化引擎

Security checks across malware telemetry and agentic risk

Overview

The skill is not overtly malicious, but its privacy-compliance instructions are corrupted and too unclear for a sensitive legal/data workflow.

Install only after the publisher restores the SKILL.md to valid UTF-8, fixes the frontmatter, and provides a readable summary of scope, data handling, legal limitations, and whether any network access is used. Treat its outputs as compliance assistance, not legal advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The skill metadata and body text are visibly affected by encoding corruption (mojibake), making key behavior, limitations, and safety claims difficult or impossible to verify. In a compliance-oriented skill, unreadable or language-locked content can mislead operators, prevent informed review, and hide unsafe functionality or incorrect legal guidance behind text that reviewers cannot reliably interpret.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal