Trackyard

Security checks across malware telemetry and agentic risk

Overview

Trackyard is a straightforward music-search and download helper that uses a Trackyard API key and writes requested MP3 downloads locally.

Install only if you are comfortable giving the skill a Trackyard API key. Use a revocable key if possible, monitor credit usage, and run downloads from a dedicated folder or specify an output filename to avoid accidental overwrites.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill states that downloads save `.mp3` files to the current directory, but the user-facing description does not clearly warn that invoking downloads will write files into the active workspace. Unexpected file creation can clutter or overwrite user workspaces, especially in automation contexts where the current directory may be sensitive or shared.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal