Back to skill

Security audit

Supplier Quality Agreement

Security checks across malware telemetry and agentic risk

Overview

This skill is a supplier quality agreement drafting and review helper that discloses its document-generation behavior and does not show hidden data access, network use, or destructive actions.

Before installing, be aware that the skill is intended to create local supplier agreement report files that may contain commercial or legal content. Choose an output directory deliberately and confirm the referenced report script exists and is the expected one before allowing an agent to run it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
85% confidence
Finding
The skill explicitly instructs writing generated reports to disk via `scripts/build_report.py` and names output files/directories, but it does not clearly require user confirmation or warn that local files will be created. This can lead to unexpected persistence of potentially sensitive commercial/legal content on the host system, especially in automated agent environments where file writes may occur without the user realizing it.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.