Plotlake

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Plotlake feed-aggregation skill that uses visible curl commands against a disclosed external API, with ordinary privacy and deletion cautions.

Install/use this skill only if you are comfortable managing Plotlake channels through its external API. Use public RSS or website URLs, avoid sensitive private links, and review DELETE commands carefully before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs users to submit arbitrary URLs to an external service for automatic feed discovery, but it does not warn that these URLs will be transmitted to a third-party API. That can expose private, internal, or sensitive endpoints if a user pastes non-public URLs, and the automatic discovery behavior increases the chance of unintended disclosure.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation provides a DELETE example for removing a source without any explicit warning that the action is destructive. In an agent context, this increases the risk of accidental data or configuration loss if the command is copied or executed automatically without confirmation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal