sticker

Security checks across malware telemetry and agentic risk

Overview

This sticker skill is broad and always-on, but its behavior is disclosed, limited to fetching and sending stickers, and does not show hidden access, credential use, or destructive behavior.

Install this only if you want the assistant to add stickers proactively in casual or emotional conversations. Be aware that it contacts a third-party sticker API with a selected keyword and may add images unless you opt out or disable it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

High

Confidence: 96% confidence
Finding: The skill is configured with `always: true` and an extremely broad trigger set that includes common greetings, thanks, emotional expressions, and even says to send a sticker proactively by default. This creates unintended invocation across ordinary conversations, increasing the chance of unsolicited outbound requests and media responses in contexts where the user did not ask for the skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal