virustotal

Security checks across malware telemetry and agentic risk

Overview

This is a clearly disclosed VirusTotal helper, with privacy-sensitive sharing risk that is documented and gated by user confirmation.

Install only if you intend to use VirusTotal and are comfortable sharing submitted files, URLs, domains, or IPs with VirusTotal and its security partners. Prefer hash lookups for sensitive files, avoid proprietary or regulated data, and confirm each submission deliberately.

Publisher note

Skill makes outbound HTTPS requests to www.virustotal.com/api/v3 for file/URL/domain/IP reputation lookups. No inbound connections. Requires network access to query the VirusTotal public API. API key stored locally, never transmitted outside VirusTotal endpoints. Only dependency is curl.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger list includes broad phrases like "scan file", "scan url", "check ip", "check domain", "malware check", and "reputation check", which can match ordinary security-assistance requests and automatically route users into a skill that sends data to a third-party service. In this skill's context, misrouting is especially sensitive because even lookups disclose artifacts or investigation targets to VirusTotal and its partners, creating a real privacy and data-exposure risk if activation occurs without fully informed user intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal