Investigative Pitch Evaluator

Security checks across malware telemetry and agentic risk

Overview

This text-only journalism workflow is coherent and safe to install, but users should be careful not to share sensitive source or legal details unnecessarily.

Install is reasonable from a security standpoint. Before using it, redact source identities, sealed or embargoed details, privileged legal advice, and raw confidential documents unless your newsroom has approved that workflow and tool for sensitive material. Treat the output as a draft requiring editor and legal review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly asks users to provide highly sensitive material including source identities, document holdings, legal exposure, deadlines, and reporting constraints, but does not warn against sharing confidential, privileged, or source-protective details. In a journalism context, this is especially dangerous because it can induce users to paste whistleblower information, unpublished evidence, or legally sensitive allegations into the skill, creating confidentiality, retaliation, and defamation-risk exposure if the system is not approved for such handling.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal