Reducto

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Reducto document-processing skill, but users should understand that document data is sent to Maton and Reducto for processing.

Install only if you trust Maton and Reducto with the documents you process. Avoid using it for sensitive or regulated documents unless that transfer is acceptable, use a dedicated API key where possible, avoid exposing MATON_API_KEY in logs or chat, and require clear confirmation before uploads, document edits, connection changes, or delete operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill processes and uploads user documents to an external third-party service but does not present a clear, prominent warning that document contents will leave the local environment. This can lead to unintended disclosure of sensitive documents, especially because the skill is designed for parsing, extraction, and editing of potentially confidential files.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal