Back to skill

Security audit

ami

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed IMA notes and knowledge-base integration that uses user-provided credentials to read, create, append, search, and upload content as requested.

Install only if you trust IMA with the notes, files, and URLs you ask this skill to manage. Prefer environment variables over plaintext credential files when possible, and be explicit about whether you want to search, create a new note, append to an existing note, or upload a file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger description is overly broad and includes common phrases like helping remember something or searching personal content, which can cause the skill to activate for loosely related requests. That increases the chance of unintended access to notes, knowledge-base content, or credentialed API operations without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly instructs clients to display raw backend `errmsg` values directly to users. Server-supplied error strings can contain internal implementation details, policy signals, or operational information that increases information disclosure and may help attackers refine requests, enumerate permissions, or understand backend behavior.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The search interface is documented to trigger on very broad phrases like “搜索” and “找笔记”, which can overlap with ordinary conversation and cause unintended invocation of a privacy-sensitive note-search capability. In a notes skill, accidental activation is more dangerous because it may expose notebook metadata or personal content without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The import_doc operation creates a new note, which is a state-changing write to user data, but the documentation does not require an explicit user-facing acknowledgment that content will be saved into the user's notes. In this skill context, silent writes are risky because users may think they are only drafting, summarizing, or transforming text rather than permanently storing it in a personal knowledge base.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.