Back to skill

Security audit

NEXUS Quick Translate

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paid remote translation skill, with no local file or shell access, but users should avoid sending sensitive text and should control paid invocation.

Install only if you trust NEXUS to process the text you translate and to receive payment proof or payment credentials. Do not send secrets, regulated data, or confidential business text unless external processing is approved. Consider using sandbox or scoped payment credentials and configure your agent to ask before making paid translation requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README documents sending user input to a remote endpoint but does not clearly warn users that submitted text leaves the local agent environment and is transmitted to a third-party hosted service. This can lead to inadvertent disclosure of sensitive prompts, personal data, or proprietary content because users may reasonably assume a local translation skill from the installation flow and automatic invocation wording.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.