AU Construction SWMS Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward SWMS document generator; it asks for site and contact details because those are part of the document it creates, with no hidden execution, network use, or persistence.

Before installing, treat generated SWMS documents as containing workplace and personal information. Provide only the details needed for the specific job, use placeholders where exact personal phone numbers or signatures are not necessary, and review the output with a competent WHS professional before site use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to collect and reproduce sensitive workplace and personal information such as site addresses, principal contractor details, contact names, phone numbers, first aider identity, and emergency contacts, but it provides no privacy notice, data-minimization guidance, or instruction to avoid unnecessary retention/sharing. In practice, this can cause over-collection and exposure of personal or sensitive operational details in chat logs, generated documents, or downstream systems, especially when the SWMS is produced for broad circulation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal