Full Page Translate

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform user-directed URL retrieval through a third-party reader service, which is coherent but has a privacy caveat.

Install only if you are comfortable with provided URLs being retrieved through r.jina.ai. Do not use it with private intranet links, signed URLs, account-specific links, or sensitive documents unless you have confirmed that this third-party routing is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to fetch arbitrary user-supplied URLs through r.jina.ai, which sends the target URL and retrieved content to a third-party service without any disclosure or consent step. This creates a real privacy and data-handling risk, especially if users provide internal, sensitive, tokenized, or otherwise non-public links expecting direct translation rather than external retransmission.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal