Showstart Skills

Security checks across malware telemetry and agentic risk

Overview

This is a read-only Showstart event-search skill, with a privacy caution for optional nearby searches that send coordinates over HTTP.

Install only if you are comfortable sending Showstart search terms and any coordinates you enter to the Showstart service. Avoid exact home or work coordinates for nearby search, and prefer changing the client to use the documented HTTPS endpoint before sharing precise location data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The nearby-search function transmits precise longitude and latitude to a remote service, which can reveal a user's current or habitual location. This is more concerning because the API endpoint uses plain HTTP rather than HTTPS, so the coordinates could also be intercepted or modified in transit by a network attacker.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal