Post Deployment Verifier

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for deployment checks, but it can inspect broad local logs and probe endpoints discovered from the environment without clear scoping or warning.

Review before installing. Use this only in environments where the agent is allowed to inspect local service logs and probe configured or discovered endpoints. Prefer an explicit .deploy-verify.json with known endpoints and avoid running the broad Docker/systemd log checks on shared hosts or where logs may contain secrets or customer data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill description does not warn that verification may inspect local Docker/systemd logs, enumerate environment-derived endpoints, and issue authenticated HTTP requests from configuration. In an agent setting, that omission can cause users to authorize or trigger the skill without understanding that sensitive internal URLs, tokens, service metadata, or response data may be accessed and exposed in output.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal