Curl

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a static documentation helper with poor, generic curl content, but it does not show hidden access, persistence, credential use, network calls, or destructive behavior.

Install only if you want a simple static reference placeholder. Do not rely on this skill for accurate curl syntax, flags, or security guidance until its content is replaced with real curl documentation; it does not appear to request sensitive access or perform actions on your system.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script is presented as a 'curl reference tool' but only emits generic placeholder text that is not actually about curl usage, commands, flags, or safe operational guidance. In an agent skill context, this is dangerous because it can mislead users or downstream agents into trusting inaccurate documentation, causing operational mistakes and unsafe command construction.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The inline description claims the script is a curl reference tool, but the implementation does not provide curl reference content. This mismatch undermines trust in the skill and can cause users or automated systems to rely on incorrect documentation in security-sensitive development workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal