Nm Conjure Gemini Delegation

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Gemini CLI delegation skill, with expected credential and file-sharing risks that users should handle carefully.

Install only if you intend to use Gemini CLI delegation. Use narrow file paths, avoid broad recursive globs over private repositories or home directories, do not include secrets, and manage Gemini credentials through a safe secret mechanism where possible. Review any optional Night Market or delegation-core plugin components separately before enabling them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to authenticate and export an API key without warning about secret exposure, shell history leakage, or the sensitivity of credentials. In practice, users may paste real keys into shared terminals, logs, transcripts, or persistent shell profiles, leading to credential compromise and unauthorized API usage.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The examples encourage passing local files and globs to the Gemini CLI for analysis without disclosing that file contents may be transmitted to an external third-party service. This can cause unintentional exfiltration of sensitive source code, secrets, personal data, or proprietary documents, especially in enterprise or regulated environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal