Skill Files

Security checks across malware telemetry and agentic risk

Overview

This skill is a UI review helper with disclosed external guideline fetching and fixed remediation lookup commands, with no evidence of hidden, destructive, or data-exfiltrating behavior.

Before installing, understand that reviews depend on live content from the Vercel Labs GitHub raw URL and may run fixed local lookup commands for remediation guidance. Use it for UI review on code you are comfortable letting the agent read, and be cautious if the remote guideline source changes unexpectedly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill is for reviewing UI guideline compliance, but it additionally instructs running local shell commands for remediation lookup. That expands the skill from passive analysis into code/tool execution, creating unnecessary attack surface if the referenced scripts or arguments are modified, influenced by untrusted input, or executed automatically by an agent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill mandates fetching fresh instructions from an external URL on every run without user notice. This introduces both undisclosed network access and prompt-injection/supply-chain risk, because the fetched remote content becomes controlling instructions for the analysis and output behavior.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal