Macrocosmos

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill coherently explains how to fetch X and Reddit data through Macrocosmos, with expected API-key use and no hidden executable behavior.

Before installing, verify that you trust Macrocosmos and use a dedicated, revocable API key. Avoid placing real keys in prompts or logs, review applicable platform terms and privacy obligations before bulk collection, and minimize retention or redistribution of downloaded social-media datasets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly instructs users to send a secret API key in an Authorization header and to retrieve potentially large-scale social-media datasets, but it does not include any privacy, retention, consent, or downstream handling guidance. In a data-collection skill, that omission can lead users or agents to gather, store, and redistribute personal or sensitive content without adequate safeguards.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal