QSR Labor Leak Auditor

Security checks across malware telemetry and agentic risk

Overview

The available scanner signals do not show malicious behavior, but the referenced workforce-monitoring privacy concern could not be independently verified from the accessible workspace artifacts.

Before installing, confirm the skill’s README explains what employee or shift data is analyzed, who can see override logs, how long records are kept, and what notice or approval is required. Use it only where workforce monitoring is lawful and governed by clear access controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly describes behavior that evaluates possible clock padding, labor inefficiency, and manager override logging, but it does not warn users about employee privacy, monitoring sensitivity, retention, access controls, or accountability risks. In a workforce-management context, this omission can lead operators to deploy monitoring and override workflows without appropriate notice, governance, or safeguards, increasing the risk of unfair surveillance, misuse of personnel data, and disputes over management decisions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal