It Searching

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only helper for searching public tech blogs and arXiv, with no evidence of hidden access, persistence, credential use, or unsafe actions.

Install only if you want the agent to fetch and summarize public technology news and AI research pages. Avoid giving it private URLs or sensitive information unless you intend that content to be retrieved online, and verify important claims against the cited source pages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill is named and described very broadly as "it searching," with little boundary-setting on when it should activate or what kinds of searches it should avoid. In an agent system, vague activation scope can cause the skill to trigger for unrelated requests and apply web-browsing behavior or tool-use instructions in contexts where they were not intended, increasing the chance of unsafe retrieval, policy bypass through misrouting, or incorrect delegation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal