Innovation Catalyst

Security checks across malware telemetry and agentic risk

Overview

This skill appears to run local gap analysis only, though its documentation overstates planned Feishu and memory-file reporting behavior.

Installing this version should be low risk based on the shipped code. Users should still treat the Feishu and memory-file documentation as a warning about intended future behavior: do not enable any wrapper, gene trigger, or modified version that sends reports externally unless recipients, preview, and redaction are clear.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly states it reads system memory, tools, and recent events, then sends a rich report to Feishu, but the description provides no notice, consent boundary, scoping rule, or data minimization guidance for that access and transmission. In an agent environment, this can expose sensitive operational context, internal state, or user-related data to an external messaging platform without clear authorization, making the behavior a genuine privacy and data-handling vulnerability.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal