Guiro

Security checks across malware telemetry and agentic risk

Overview

Guiro is a clearly scoped helper for publishing selected dashboard data to a public share-link service, with the main risk being accidental inclusion of sensitive data.

Install only if you intend to publish the selected JSON data to Guiro. Treat GUIRO_API_KEY as a secret and review payloads before creation; do not include secrets, personal data, or confidential business data unless you are comfortable with anyone who has the short-lived link viewing it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill repeatedly emphasizes that created dashboards are viewable by anyone via a no-login link, but it does not present this as a prominent user warning or require confirmation before publishing potentially sensitive data. In this context, the core function is external publication, so omission of an explicit data-exposure warning materially increases the risk of accidental disclosure.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal