Back to skill

Security audit

Analytics Agent

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only analytics reporting skill that openly handles business metrics and reports them to a named recipient, with privacy scoping users should configure before use.

Install only if Thomas is an intended recipient and the allowed dashboards, logs, spreadsheets, metrics, and report channels are clear. Review or require approval before sending reports that include trading results, revenue, payments, user data, leads, or raw logs, and prefer aggregated or redacted data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to send aggregated reports 'an Thomas' without any consent check, recipient validation, or disclosure boundary. Because the skill handles trading, app, freelance, marketing, and log-derived data, this could expose sensitive business metrics or user-related information to a human recipient automatically or without user awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.