Back to skill

Security audit

Vocational Report Generator

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent report generator, but it requires running an unverified local Python conversion script that may be found by searching the workspace.

Review this skill before installing in sensitive workspaces. Use it only if you are comfortable with the agent doing web research and creating report files, and avoid letting it run a discovered md_to_html.py unless you have verified that script yourself or have instructed the agent to generate HTML without executing local code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs the agent to execute a local Python script and, if needed, search the workspace for it with glob. That expands the skill from report generation into code execution and filesystem discovery, which can be abused or can violate least-privilege expectations if the workspace contains unintended files or a tampered script.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.