Recipe Generate Report From Sheet

Security checks across malware telemetry and agentic risk

Overview

This instruction-only recipe is mostly coherent, but it includes a command that can share the generated Google report with a hard-coded email address.

Review and edit the sharing step before use. Confirm the Google account connected to gws, the exact spreadsheet and document IDs, and the intended recipient; keep the generated document private unless you explicitly approve sharing it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs granting read access on the generated Google Doc to a specific email address without requiring user confirmation, validating recipient identity, or warning that sheet-derived content may contain sensitive business data. Because the recipe reads from a spreadsheet and then publishes a report, this creates a real risk of unintended external data disclosure if users run it as written.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal