Nda Generator

Security checks across malware telemetry and agentic risk

Overview

This is a local NDA template generator with some under-disclosed local logging, but no evidence of exfiltration, destructive behavior, or privilege abuse.

Before installing, confirm how the nda-generator command is wired. Use the template-generation commands for drafts, avoid putting highly sensitive deal terms into command arguments or the add command unless local retention is acceptable, and remove the local nda-generator data directory when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The logging helper writes command arguments to a persistent history file without any user disclosure, minimization, or protections. In a skill context, users may pass sensitive business or personal text assuming ephemeral processing, and those values will be silently retained on disk where other local processes or users may later access them depending on file permissions and backups.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The add command stores arbitrary user-supplied input in a local database file without warning, consent, retention controls, or access protections. Because the tool is misleadingly named 'nda-generator', users could reasonably enter confidential contract or client information, making silent local persistence more dangerous in this context than in an explicitly documented note-taking tool.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal