anytocopy-extractor

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only browser workflow for submitting a user-provided social-media link to AnyToCopy and returning extracted text, with the main caution being third-party URL sharing.

Install only if you are comfortable having submitted links opened and processed by anytocopy.com. Do not use it with private, authenticated, tokenized, or sensitive URLs, and remove unnecessary tracking or secret query parameters where practical.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation criteria are broad enough that ordinary link-sharing requests could trigger this skill and cause the agent to send user-supplied URLs to an external site without clear user intent. In this skill’s context, that creates a meaningful privacy and consent risk because links may contain personal, private, or tracking information and are routed to a third-party service.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The workflow instructs the agent to paste user-provided links into AnyToCopy but does not warn the user that their data will be transmitted to a third-party website. This is dangerous because shared links can expose private content identifiers, embedded tokens, referral parameters, or sensitive browsing context, and users are not given informed consent before disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal