Security audit

NEXUS Translate

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paid remote translation skill, with the main user risk being that translated text and payment proof data are sent to NEXUS when used.

Install only if you trust NEXUS with the text you translate and with the payment proof or payment flow. Configure your agent to ask before billable requests where possible, use the sandbox for testing, and avoid sending secrets, regulated personal data, or proprietary content unless the provider’s terms and data handling are approved for your use case.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The README states the skill is 'automatically invoked' when a matching task is detected, but it does not define trigger boundaries, consent requirements, or what data may be sent during invocation. In an agent environment, ambiguous auto-invocation can cause unintended use of a paid remote service and accidental transmission of sensitive user content to an external endpoint.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README describes usage and pricing for a hosted translation API but does not clearly warn that translation inputs are transmitted to an external third-party service. Users may unknowingly send confidential prompts, personal data, or proprietary text off-device, creating privacy, compliance, and data-governance risks.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.