Web Publish

Security checks across malware telemetry and agentic risk

Overview

The skill’s publishing purpose is understandable, but it tells users to install it by running an unreviewed Pastebin shell script and can expose uploaded documents through a third-party paste service.

Review the exact installer script before running it, or avoid installing until the publisher provides a packaged or pinned installer. Only publish files that are safe to share externally, and assume dpaste.com links may be accessible to anyone who obtains the URL until they expire.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly publishes local Markdown/HTML content to dpaste.com and returns a shareable public URL, but it does not warn users that local file contents are being uploaded to a third-party service and exposed externally. This creates a real risk of accidental data disclosure, especially because the advertised use cases include meeting notes and temporary document sharing, which may contain sensitive information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal