Recipe Finder

Security checks across malware telemetry and agentic risk

Overview

This appears to be a recipe-focused skill whose broad triggers and local favorites storage are worth noticing but fit its stated purpose.

Install only if you are comfortable with a recipe skill activating for general food questions and saving favorites or related preferences locally. On a shared device, review the documented storage path and delete saved data if you do not want those preferences retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The example trigger phrases are very broad everyday utterances such as asking what to eat or how to cook a common dish. In an agent-routing environment, this can cause accidental invocation from unrelated normal conversation, leading to unintended data exposure to the skill, confusing takeovers of user intent, or inappropriate tool activation.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill declares file read/write access for storing favorites and shows a concrete local storage path, but does not clearly warn users that their recipe preferences and usage metadata may persist on disk. This can create an avoidable privacy risk on shared systems or managed environments where local files may be inspected, backed up, or retained longer than users expect.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal