Back to skill

Security audit

VirusTotal Hash Analyzer

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward VirusTotal lookup skill, but users should only use it for indicators they are allowed to share with VirusTotal.

Install this only if you are comfortable using a VirusTotal API key and sending queried hashes, URLs, domains, or IP addresses to VirusTotal. Avoid submitting confidential internal URLs, private hostnames, customer-linked indicators, or sensitive incident details unless your organization permits that sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad terms like 'IOC', 'threat intel', 'VirusTotal', and generic Chinese equivalents, which can cause the skill to activate in conversations that are not clear requests to submit data to VirusTotal. Unintended invocation matters here because the skill sends indicators to a third-party service, creating privacy and operational exposure if sensitive internal IOCs are shared without deliberate user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description encourages users to paste hashes, URLs, domains, and IPs for enrichment but does not warn that these artifacts will be transmitted to the external VirusTotal service. In security workflows, IOCs may be confidential, customer-linked, or part of an undisclosed incident, so silent external submission can leak sensitive investigative data and tip off third parties.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends user-supplied hashes, URLs, domains, and IPs directly to the VirusTotal service. In a security workflow this is expected behavior, but it still creates an external disclosure risk because submitted IOCs may be sensitive, customer-specific, or operationally confidential, and the script provides no explicit warning, consent gate, or privacy notice before transmission.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.