Ctf Osint

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only CTF OSINT skill, but it includes under-scoped guidance for sensitive tokens, live reconnaissance, and personal-location research.

Install only for authorized CTF/lab use. Do not paste personal Discord tokens into commands, do not probe or de-anonymize real systems without permission, and treat browser history, usernames, IPs, EXIF data, routes, API keys, and discovered credentials as sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This section explicitly instructs users to enumerate Discord server data with a user token, which is a sensitive credential and not appropriate for a general public OSINT skill. Using a user token to access roles, emojis, and message search enables unauthorized scraping of account- and server-scoped data and can facilitate account misuse or ToS-violating access patterns.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly requires internet access and provides package installation and external-query commands, but it does not warn that using these commands will contact third-party services and may disclose the target of an investigation. In an agent setting, this can cause unintended outbound traffic, logging by external providers, and privacy or operational-security leaks.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill recommends privacy-impacting OSINT techniques involving social media, browser history, Telegram bots, and gaming accounts without any caution about authorization, legality, or handling of personal data. That omission increases the chance an agent or user will apply these techniques against real individuals or sensitive data inappropriately.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The section explicitly instructs users to extract and use EXIF GPS and related metadata, but it provides no warning that such metadata can expose precise locations, device details, timestamps, or other sensitive information. In an OSINT skill, this omission is risky because users may normalize collecting or sharing metadata without considering privacy, consent, or accidental disclosure of non-public location data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The IP geolocation section recommends querying third-party lookup services directly with target IPs, but it does not warn that doing so discloses the investigated IP and investigation activity to external providers. This can leak sensitive case context, create audit/privacy issues, and potentially tip off infrastructure owners or data brokers depending on the service used.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The Strava section gives a workflow for identifying a person's physical location from fitness routes and correlating it with maps and photos, but provides no safety, privacy, or consent boundaries. Even in a CTF context, this normalizes doxxing-adjacent tradecraft that can be repurposed for real-world stalking, home/work inference, or other physical safety harms.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The Discord enumeration guidance describes accessing hidden or non-UI-visible metadata and searching guild messages with a user token, without any warning about consent, privacy, or account misuse. That lowers the barrier for harvesting data from communities and private contexts in ways users may not expect, increasing abuse potential beyond benign OSINT.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: This section gives step-by-step guidance for interacting with Telegram bots and explicitly includes an example where the bot reveals credentials to a secondary system. In an OSINT/CTF context this may be intended for challenge solving, but without clear scoping and safety language it can normalize accessing real services and handling discovered credentials, which could be misapplied outside authorized environments.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The Shodan fingerprinting section directly describes techniques to de-anonymize Tor hidden services and CDN-backed systems by correlating SSH or TLS fingerprints to real IPs. Even if presented as a CTF trick, this is dual-use reconnaissance guidance that can facilitate targeting, privacy bypass, and infrastructure discovery against real-world services when no authorization caveat is provided.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal