task-status

Security checks across malware telemetry and agentic risk

Overview

This skill simply looks up an AICNIC job status, but it sends the provided job ID to an external HTTP endpoint.

Install only if you intend to query the AICNIC job system. Avoid submitting sensitive job IDs unless you are comfortable sending them to www.aicnic.cn over plain HTTP, and prefer a safe HTTP client or URL encoding for unusual jobId values.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill instructs the agent to send a user-provided jobId to an external third-party service over the network without any disclosure, consent step, or privacy warning. Even though the data appears limited, job IDs can still be sensitive operational metadata, and the use of plain HTTP further increases exposure by allowing interception or tampering in transit.

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The workflow explicitly directs making an outbound GET request to a remote system without warning the user that external network access will occur. In an agent setting, this can cause unintended disclosure of user-supplied identifiers and creates additional risk because the endpoint is contacted automatically as part of normal execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal