Security audit

Rent Computer Assistant

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate rental-assistant purpose, but it can steer broad computer-performance complaints into a rental order flow that sends personal contact and shipping details to an external service without clear consent safeguards.

Install only if you trust this rental provider and want an agent to help submit computer-rental applications. Before sharing an address, phone number, or WeChat details, require the agent to show the exact rental configuration, price, destination endpoint, and all personal data to be sent, then ask for explicit final confirmation before submission.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill is described as automatically triggering on general complaints about poor computer performance and then proceeding toward recommendation, data collection, and order submission. In an agent setting, broad triggers can cause the workflow to activate without clear user intent to rent, increasing the chance of unintended solicitation and downstream collection of personal data.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The listed scenarios are vague and map common support complaints like 'computer too slow' or 'can't run AI' directly to rental activation. That makes the skill prone to misfiring in ordinary troubleshooting conversations, potentially steering users into a transaction flow they did not request.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The README states the skill will collect shipping address and contact information and automatically submit a rental application, but it does not warn users about this sensitive-data handling or require informed consent. In an autonomous agent workflow, this creates a meaningful privacy and unauthorized-action risk because users may not realize that a casual conversation can lead to PII collection and order placement.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The feature list advertises automatic collection of address/contact details and automatic order submission as core behavior without any safeguards, approval gates, or privacy notice. This normalization of unattended transaction steps increases the risk of accidental data disclosure and unauthorized purchases or commitments.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger conditions are broad enough to activate on ordinary complaints like '我电脑太卡了', which can cause the skill to steer users into a rental workflow without clear confirmation of intent. In a commerce flow that later collects personal information, overbroad triggering increases the risk of unintended solicitation, confusion, and unnecessary disclosure of user data.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill asks for address and contact details and sends them to a third-party endpoint without an explicit privacy notice, consent step, retention statement, or clear disclosure that the data will be transmitted off-platform. Because this is sensitive personal information tied to a commercial transaction, the absence of transparency and consent materially raises privacy, compliance, and user-harm risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal