Pt Site

Security checks across malware telemetry and agentic risk

Overview

The skill matches its stated torrent workflow, but it uses private tracker account cookies and can add torrents to qBittorrent with limited safety guidance.

Review before installing. Use only with tracker accounts you are willing to let an agent access, keep the cookie file private with restrictive permissions, redact cookies and passkeys from outputs, and require explicit confirmation before any torrent is downloaded or added to qBittorrent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs use of persistent private-tracker authentication cookies from a local credentials file and shows how to pass them directly in requests. This creates a real risk of credential leakage through logs, shell history, screenshots, command traces, or accidental reuse, and private-tracker cookies often grant full account access.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The workflow directs the agent to download torrent files and add them to qBittorrent, which changes the user's system state and can immediately begin participation in torrent activity. Without an explicit warning and confirmation gate, the skill could cause unintended downloads, bandwidth consumption, data retention, or exposure of the user's tracker account and IP through torrent client activity.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal