Back to skill

Security audit

Accessibility Toolkit

Security checks across malware telemetry and agentic risk

Overview

This accessibility skill is coherent and not malicious, but it needs review because it encourages low-friction control over physical home access without enough safety boundaries.

Review before installing. Use this only with carefully scoped smart-home permissions, strong presence checks before any door unlock, audit logging, and no hardcoded or displayed entry codes. Treat conversation-history analysis as sensitive and enable it only with explicit user consent and clear deletion controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes an automation that unlocks the front door automatically on arrival, but it does not mention safeguards such as device-auth confidence, geofence spoofing resistance, secondary presence checks, or an explicit user warning about physical security tradeoffs. In an accessibility context this may be well-intentioned, but compromised location signals, misconfigured automations, or unexpected trigger conditions could cause unauthorized physical access to the home.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The example error-reporting pattern exposes a manual backup door code directly in plaintext. Even as documentation, this normalizes sharing a sensitive credential through agent messages, logs, screenshots, notifications, or history, which could enable unauthorized entry if viewed by others or retained insecurely.

Ssd 3

Medium
Confidence
87% confidence
Finding
The script description says it analyzes conversation history to identify repeated requests, which creates a privacy and retention risk because historical interactions may contain sensitive health, home, and daily-routine information. In this accessibility skill, the data is especially sensitive because it can reveal disability-related needs, schedules, medications, and household patterns.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.