Security audit

moreninha

Security checks across malware telemetry and agentic risk

Overview

This skill is a focused literary helper with bundled reference text and no requested system access, though one archived HTML reference should not be opened with scripts enabled.

Safe to install for literary assistance. Use the bundled plain-text reference for normal work, and avoid opening the archived HTML source as an active web page unless scripts and external network requests are blocked or the file is sanitized.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The reference HTML embeds Google Analytics/gtag telemetry and emits multiple tracking events even though the skill's stated purpose is literary analysis of a public-domain novel. If any pipeline renders or fetches this reference page, it can leak usage metadata and create unnecessary third-party network dependencies unrelated to the skill's function.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: This file loads external analytics resources over the network, including Google-hosted scripts, despite the skill only needing static literary source text. In environments that preview, parse, or render the HTML, those requests can disclose environment metadata, user activity, or internal access patterns to third parties.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal