Clay

Security checks across malware telemetry and agentic risk

Overview

This skill locally checks PMU CSV data and writes expected local reports, with no evidence of hidden network access, credential use, or persistence.

Install this only if you intend to analyze PMU CSV files. Use explicit input and output paths, keep generated flagged CSV or HTML reports in an appropriate directory, and treat both the source measurements and derived reports as sensitive operational data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrases are broad enough that the skill may activate for generic requests to 'validate', 'check', or 'audit' PMU-related data without strong scoping. That can cause unintended execution paths, including reading user-supplied files and invoking Bash-based processing when the user did not explicitly request this specific skill, increasing the risk of inappropriate tool use or accidental data handling.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill states that it writes a flagged-rows CSV alongside the input file, but this side effect is not prominently disclosed as a file-system modification requiring user awareness and consent. In practice, this can overwrite expectations around read-only analysis, create artifacts in sensitive directories, or leak derived data into locations the user did not intend to modify.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal