Recipe Post Mortem Setup

Security checks across malware telemetry and agentic risk

Overview

The skill appears to automate Google Workspace actions, and the flagged document, calendar, and chat changes are expected for that purpose but should be reviewed before use.

Install only if you intend the agent to make live Google Workspace changes. Before running it, review the exact Doc sharing settings, Calendar attendees and time, and Chat space or recipients so it does not notify the wrong people or disclose sensitive content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directly instructs the agent to create a shared Google Doc, schedule a Calendar event, and send a Chat message, but it provides no warning that these are external side effects that modify organizational data and notify other users. In an agent setting, this can cause unintended workspace changes, information disclosure, or spam if the user does not clearly understand that executing the recipe will perform live actions in shared systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal