Maritime Watch

Security checks across malware telemetry and agentic risk

Overview

This appears to be an unfinished port-monitoring prototype that advertises real security/status reporting but only contacts placeholder URLs and returns “Not implemented yet.”

Install only for inspection or development. Do not rely on it for real port, vessel, weather, news, or security status until it names real data providers, documents outbound requests, uses the port input safely, implements validation, and returns tested JSON output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The skill explicitly states it collects data from external weather, vessel tracking, and news sources, but it does not warn users that invoking the skill may trigger network access and third-party data retrieval. This creates a transparency and privacy issue: users may unknowingly cause outbound requests that reveal queried targets or usage patterns to external services.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The script makes outbound network requests to multiple external endpoints without any user-facing notice, consent flow, or clear disclosure of what data is being transmitted or retrieved. In an agent skill context, undisclosed external communication can violate user expectations and platform trust boundaries, especially when the skill also contacts vessel-tracking and security-alert sources beyond the apparent weather use case.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal