Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed API connector that sends only user-provided workflow text and queries to an external service, with no local code execution or credential access in the package.

Install this only if you are comfortable sending the flow code and query text you provide to api.neurodoc.app. Avoid including passwords, personal data, private files, credentials, or confidential business information unless you have reviewed and trust the external service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The skill description is extremely broad ('AI workflow orchestration' for recipes, business strategy, market analysis, molecular gastronomy, and more), which can cause an agent to invoke the skill for loosely related requests without clear user intent. In an API-connector skill that transmits user content to a third-party service, over-broad triggering increases the chance of unnecessary external data disclosure and unexpected delegation.

Natural-Language Policy Violations

Medium

Confidence: 78% confidence
Finding: The example flow hard-codes `language="el"`, which may cause outputs to be generated in Greek even when the user did not request that language. While not a direct exploit primitive, it can override user expectations, reduce transparency, and make downstream review or safety checks harder if the agent reuses the example verbatim.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal