Back to skill

Security audit

Content Summary

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform public web search and content summarization as advertised, with no evidence of hidden, destructive, or credential-seeking behavior.

Install it if you are comfortable with the agent using external public search and page retrieval for summary tasks. Be explicit when asking for searches, avoid giving private/authenticated URLs or sensitive data, and confirm that any scraped source use complies with the relevant platform rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill explicitly allows activation from a broad natural-language request that merely 'clearly asks' for search, ranking, and summary behavior. That increases the chance of unintended routing or prompt-trigger collisions, where unrelated user input could invoke this skill and cause unplanned web access or summarization behavior. In this context the skill can search external public platforms and scrape via Playwright fallback, so accidental activation has meaningful side effects beyond simple formatting.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.