agent-workflow-designer

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable guide for designing multi-agent AI workflows; its external model API examples are expected for that purpose but require care with sensitive data.

Safe to install as a reference skill. Before adapting the code, use scoped API keys, avoid sending secrets, personal data, regulated data, or full internal documents in prompts and handoffs, redact unnecessary context, set spending and rate limits, and check your model provider's retention settings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill repeatedly demonstrates sending user requests, intermediate outputs, competitor analyses, and workflow context directly to external model APIs, but it does not include any privacy notice, consent step, data classification guidance, or redaction requirements. In a production orchestration skill, this omission can lead users to forward sensitive business, personal, or regulated data to third-party providers without understanding the exposure, and the multi-agent design increases that risk by propagating data across several calls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal