Senior Ml Engineer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent ML engineering reference skill; its LLM and RAG examples may send data to external providers, but that is expected for its purpose and not hidden.

Safe to install as reference material. Before using the examples with real systems, avoid sending secrets, regulated data, customer records, or confidential internal documents to third-party LLM or embedding providers unless approved; scope API keys, review provider retention settings, and set retention/access controls for vector stores and model registries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The embedding example sends arbitrary input text to an external API provider (OpenAI) but does not mention data handling, consent, redaction, or restrictions on sensitive content. In an MLOps/RAG skill, users may copy production documents, prompts, customer data, or internal knowledge into embedding pipelines, so omission of a warning or privacy guard can lead to unintended third-party disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal