Back to skill

Security audit

Nimble

Security checks across malware telemetry and agentic risk

Overview

This is a small, instruction-only scooter integration skill whose device-control features are disclosed, but users should treat reset and speed-setting commands carefully.

Install only if you own or are authorized to manage the Nimble scooter. Before changing speed limits, lights, firmware, or using factory reset, keep the scooter stationary, understand local rules and safety effects, back up settings where possible, and require explicit confirmation for reset or configuration changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly supports changing vehicle parameters such as speed limits and lighting settings, which can affect safety, legality, or device behavior, yet the documentation does not present clear warnings, confirmation requirements, or consequences. In a vehicle-control context, undocumented configuration changes increase the risk of unsafe operation, accidental misconfiguration, or loss of previous settings.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documented `Nimble 重置` command exposes a factory reset action without stating that it is destructive, may erase configuration, or may be irreversible. Because this skill manages a physical device, an unsuspecting user could trigger data loss, lose paired settings or custom parameters, and potentially leave the scooter unusable until reconfiguration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.