Llm Data Automation

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed construction data automation helper, with expected file access and LLM usage guidance that users should apply carefully to sensitive project data.

Install only if you are comfortable granting filesystem access for construction data processing. Review generated Python before running it, choose input and export paths deliberately, avoid sending confidential client, schedule, cost, bid, or specification data to online LLMs without approval, and index only approved document folders.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly recommends using online LLMs for construction data processing but does not warn that prompts, uploaded files, or extracted project data may contain sensitive company information. In this context, users may paste schedules, cost estimates, specifications, or other proprietary data into third-party services, creating confidentiality and compliance risks.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The local-document indexing example encourages loading all files from a company_documents directory into a searchable index without discussing data classification, file selection, or access controls. Even though the model is local, this can still expose sensitive internal documents to unauthorized local users, overly broad indexing, or accidental inclusion of confidential material.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal