CMIC Skill Scanner (macOS ARM64)

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local scanner wrapper, with the main caution being optional upload of scan reports and the need to verify any scanner binary before running it.

Before installing, verify that any actual scanner binary is present and its SHA-256 matches the documented checksum, or build it from source if you do not trust the release host. Only use --upload-url with a trusted endpoint because scan findings can expose sensitive details about private skills or internal packages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The installation instructions explicitly show sending detailed scan results, including full summaries and findings, to an external URL in an enterprise workflow. Because scan findings may contain sensitive metadata, internal paths, package contents, or other confidential review details, omitting any warning, consent step, redaction guidance, or trust-boundary explanation creates a real privacy and data-exposure risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal