Back to skill

Security audit

Rag Construction

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a purpose-aligned construction RAG helper, with the main caution that exported knowledge bases may contain the original sensitive documents and metadata.

Before installing, assume any exported knowledge base may include confidential project records, contracts, specifications, safety information, and document metadata. Store exports securely, avoid sharing them broadly, and redact or exclude sensitive material when possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented export_knowledge_base behavior includes full raw document content and metadata for every ingested construction document, which can expose sensitive project records, contractual data, or proprietary specifications if users export or transfer backups insecurely. In a construction RAG context, this is more concerning because the corpus may contain confidential project, safety, or legal documents, and the skill provides no warning, redaction guidance, or access-control considerations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.