Back to skill

Security audit

Workflow Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a workflow-orchestration skill with a visible example that can send pipeline outputs, so users should treat outbound publish steps carefully.

Before installing, check any workflow that uses publish or send steps: confirm the destination, avoid sending secrets or sensitive scraped content, and prefer redaction or review before outbound delivery.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The example workflow includes a `publish` step that performs a `send` action after processing scraped and transformed data, but the skill documentation does not warn users that this may transmit data to an external destination. In an orchestration skill for multi-agent pipelines, this omission is meaningful because users may reuse the example pattern with sensitive intermediate data and unintentionally exfiltrate it.

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.