Back to skill

Security audit

Nm Leyline Service Registry

Security checks across malware telemetry and agentic risk

Overview

This skill is a documentation-style service registry guide that is purpose-aligned, but users should remember it can route prompts and files to external services.

Install only if you intend to coordinate external service CLIs or APIs. Before using it, confirm which services are registered, what files or prompts will be sent, which API keys are available in the environment, and whether failover could send the same content to more than one provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes broad generic terms like "services," "execution," and "integration," which can cause the skill to activate in contexts far beyond its intended scope. For a skill that coordinates external service execution, over-activation increases the chance of unintended invocation, data routing to external tools, or use in sensitive contexts without explicit user intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill demonstrates executing prompts and files through external services using configured credentials, but it does not warn that prompts, file contents, and metadata may be transmitted to third-party systems. In this context, the registry centralizes multi-service execution and failover, which makes accidental disclosure more dangerous because sensitive data may be sent to one or several external providers without clear user awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.