mlayer-guard

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent security purpose, but it asks agents to send sensitive task context, tool outputs, and the user's LLM API key to an external guard service without enough safeguards.

Install only if you intentionally trust the mlayer-guard endpoint with inspected tool outputs, task context, and a dedicated LLM API key. Do not use your primary provider key; use a low-limit, revocable key and avoid sending confidential email, files, database rows, secrets, or proprietary content unless you have explicit approval.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill directs the agent to transmit the user's original task and raw external tool output to a remote service, but it does not provide any explicit privacy warning, data minimization guidance, or restrictions on sending sensitive content. Because the skill is intended to process outputs from email, files, APIs, databases, and web sources, this can cause confidential prompts, personal data, secrets, or proprietary information to be exfiltrated to a third party during normal use.

VirusTotal

No VirusTotal findings

View on VirusTotal