CMIC Skill Scanner (Linux ARM64)

Security checks across malware telemetry and agentic risk

Overview

This is a local skill-scanning helper with optional user-configured report upload, and the reviewed artifacts do not show hidden sending, persistence, or destructive behavior.

Use local review mode by default. Only set --upload-url for trusted, approved HTTPS endpoints because reports may reveal sensitive project or security details, and verify or build the referenced scanner binary before execution.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The installation guide documents an enterprise batch review mode that uploads scan results, including full embedded review details and findings, to a remote URL, but it does not provide a clear warning about data disclosure, trust boundaries, or the sensitivity of transmitted content. This can cause users to unintentionally exfiltrate potentially sensitive skill contents, scan findings, paths, or metadata to external infrastructure, especially in enterprise or automated environments where commands may be copied verbatim.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal