Back to skill

Security audit

facequet

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple disclosed web-page reader that fetches a user-provided URL and extracts text, with dependency hygiene issues but no hidden access or persistence.

Install only where outbound web requests are acceptable. Provide only URLs you intend the skill to fetch, avoid private or internal URLs, and pin reviewed dependency versions before using it in a production or sensitive environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
beautifulsoup4
Confidence
95% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
beautifulsoup4
Confidence
95% confidence
Finding
beautifulsoup4

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
92% confidence
Finding
requests

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.