Back to skill

Security audit

NEXUS Content Generator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paid remote AI content-generation skill, but its broad automatic-use language could trigger networked paid requests without clear per-request control.

Install only if you trust NEXUS with the prompts you send and are comfortable with paid remote calls. Use sandbox mode first, avoid secrets or regulated data, and configure your agent to ask before sending content or spending payment proof on each request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README states the skill is 'automatically invoked' when a matching task is detected, but it does not define what constitutes a match, what user approval is required, or what data may be sent during invocation. In an agent ecosystem, ambiguous trigger scope can cause unintended activation and downstream actions without clear user consent, especially for a paid remote service.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill is described in very broad terms ('blog posts, social media, emails, marketing copy'), which overlaps with a large class of normal user requests and makes accidental or overly eager invocation more likely. In an agent setting, broad activation criteria can cause user content to be routed to an external paid third-party service without sufficiently explicit user intent or narrow task matching.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Step 1: Get the x402/MPP challenge
curl -X POST https://ai-service-hub-15.emergent.host/api/original-services/content-generator \
  -H "Content-Type: application/json" \
  -d '{"input": "your query here"}'
# Returns 402 + WWW-Authenticate: Payment header
Confidence
95% confidence
Finding
curl -X POST https://ai-service-hub-15.emergent.host/api/original-services/content-generator \ -H "Content-Type: application/json" \ -d '{"input": "your query here"}' # Returns 402 + WWW-Authentic

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.