Trivy Security Scanner

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent Trivy vulnerability-scanning guide, with expected but privacy-relevant scanning and enrichment behavior users should scope carefully.

Install only after verifying the Trivy package source and approving any sudo or Homebrew changes. Before running it, specify the exact image, path, repository, SBOM, or Kubernetes context to scan, and be aware that CVE lists may be sent to FIRST and CISA for enrichment while raw scan reports may contain sensitive vulnerability, secret, or infrastructure details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to send derived scan data, specifically enumerated CVE identifiers, to third-party services such as FIRST EPSS and CISA without clearly warning the user that scan-derived information will leave the environment. In enterprise settings, even derived metadata about internal assets and vulnerabilities can be sensitive and may violate data handling expectations or policy.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal