KYC & Identity

Security checks across malware telemetry and agentic risk

Overview

This KYC skill is purpose-aligned but should be reviewed carefully because it handles identity documents and personal data while leaving authentication, endpoint choice, and privacy handling under-specified.

Install only if you can confirm the intended production API endpoint, how bearer tokens are supplied and protected, and the service's privacy, retention, and compliance posture. Do not upload real identity documents or personal data to a development endpoint, and require explicit approval before any document, selfie, address, phone, DOB, document ID, or PIN-related step.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This skill instructs the agent to collect and transmit highly sensitive personal data and identity documents, including passport/ID images, date of birth, address, phone number, and document IDs, but it does not include an explicit user-facing privacy notice, consent checkpoint, retention warning, or guidance on minimizing data exposure. In a KYC context this is especially sensitive because users may provide regulated identity data and document scans, so omission of privacy and handling safeguards increases the risk of over-collection, unintended disclosure, and unsafe user trust assumptions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal