Pitch Deck

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local utility that stores user-entered data and command history locally, with privacy caveats but no evidence of exfiltration or destructive behavior.

Before installing, understand that data you type into this utility, and possibly the command arguments you use with it, may be saved in local files and later shown or exported. Do not enter API keys, passwords, tokens, private identifiers, or sensitive notes unless you are comfortable storing them locally; check file permissions and delete the history/data files when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The helper logs command names and user-supplied arguments into a persistent history file without notice, which can expose sensitive values entered on the command line such as search terms, identifiers, or other private content. In this utility context, the risk is elevated because most commands call the same logging routine, making collection broad and ongoing.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The add command persists arbitrary user input directly into a long-lived data file with no warning, validation, or data-handling controls. While not code execution, this creates a privacy and data-retention risk because users may unknowingly store secrets or sensitive content that can later be exposed through list/export operations.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal