Back to skill

Security audit

Verify Claim

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only fact-checking skill that clearly uses an external verification service, but users should avoid sending private or sensitive claims to it.

Install only if you are comfortable sending public factual claims to verify.agentutil.net or a configured MCP verifier. Do not use it for confidential business facts, personal data, regulated information, secrets, or internal claims unless you have separately approved that data sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Natural-Language Policy Violations

Low
Confidence
85% confidence
Finding
The skill broadly instructs agents to verify any factual claim against a live external service by default, without requiring user consent or considering locale, language, or data sensitivity. While the goal is accuracy, this can cause unnecessary disclosure of user-provided content and surprise network access for routine interactions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The fallback workflow explicitly tells the agent to transmit user-provided claims to a third-party HTTP API, but does not require a user-facing warning or consent step. Claims may contain sensitive business, personal, or regulated information, so this creates a real data exfiltration/privacy risk in ordinary use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.