Back to skill

Security audit

Eam

Security checks across malware telemetry and agentic risk

Overview

This is a simple local asset-tracking skill that stores records on the user's machine and does not show hidden network, credential, or automatic execution behavior.

Install if you want a lightweight local asset log. Do not store secrets or highly sensitive asset details unless you are comfortable with them remaining in ~/.eam, and back up the data file before using remove because deletion is permanent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script persistently stores arbitrary user-supplied entries and configuration values under a predictable path in the user's home directory without warning that data will be retained on disk. In the context of an agent skill, users may provide sensitive operational or asset information assuming ephemeral handling, which can lead to unintended local disclosure or long-term retention of sensitive data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The remove command permanently deletes a selected line from the data file with no confirmation, dry-run mode, or recovery mechanism. This can cause accidental data loss, which is more concerning in a tracking tool where stored records may be important for inventory or audit purposes.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.