Unified Find Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent guide for finding and installing other skills, but users should review any third-party skill before allowing installation.

Install only after reviewing the selected skill's registry page, source, publisher, and version. Avoid sensitive search terms, and be cautious with global installs or commands that skip confirmation prompts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger guidance is broad enough that the skill may activate on generic help-seeking requests, causing the agent to pivot into searching registries and suggesting third-party installs when the user may only want direct help. In a security-sensitive context, over-invocation increases exposure to untrusted external content and may lead users toward unnecessary package or skill installation from external ecosystems.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The install guidance recommends global installation and suppressed confirmation (`-g -y`) without requiring an explicit warning or renewed user consent. Because this skill is specifically about discovering and installing third-party agent skills, the omission materially increases the risk of silently introducing unreviewed code or persistent agent capabilities from external registries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal