CMIC Skill Scanner (Linux x64)

Security checks across malware telemetry and agentic risk

Overview

This is a local skill-scanning wrapper with an explicitly optional report-upload feature; the main risk is that uploaded reports may contain sensitive review details.

Install only if you trust the publisher or can verify/build the scanner yourself. Use the local scan mode by default; enable --upload-url only for trusted internal HTTPS endpoints after reviewing the report contents, because findings and summaries can still reveal sensitive project details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The installation documentation instructs users to upload review results, including full scan summaries and findings, to an external URL without clearly warning that these reports may contain sensitive metadata, proprietary skill contents, or internal environment details. In an enterprise batch-review context, this increases the risk of unintended data disclosure to third-party services or misconfigured endpoints.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal