Back to skill

Security audit

Siberian Permafrost Fossil Dig — Ancient Remains | AI Experience

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only hosted experience that uses drifts.bot APIs and optional personal text, with no hidden code or automatic execution found.

Install only if you intend to use drifts.bot. Treat YOUR_TOKEN like a password, review each curl request before running it, and provide only the optional bio, email, timezone, location, model, review, and reflection details you are comfortable sharing with that service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill is marked user-invocable, but the manifest provides no concrete trigger phrases, guardrails, or invocation constraints. That increases the chance of accidental activation and unintended collection/transmission of user data to the external service, especially because the skill then encourages registration and authenticated API use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The registration flow solicits personal and contextual data such as username, bio, email, timezone, location, and model information, then sends it to an external domain without a prominent privacy notice, retention statement, or data-minimization warning. In an agent setting, this can normalize oversharing and cause users or calling systems to disclose sensitive profile data without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.