42Crunch

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate 42Crunch integration, but it exposes broad direct API request capability, including destructive methods, without clear confirmation or scoping guidance.

Install only if you trust the publisher and are comfortable granting the agent access to your 42Crunch account through the integration. Use least-privilege credentials if possible, prefer built-in/list/read actions first, and require an explicit target summary before allowing any create, update, or delete request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill explicitly documents a generic proxy request capability with arbitrary paths and HTTP methods including POST, PUT, PATCH, and DELETE, but provides no guardrails about confirmation for destructive operations, scope validation, or user-impact checks. In an agent setting, this can enable unintended state-changing or destructive API actions against a user's 42Crunch environment if the model overgeneralizes or acts on ambiguous instructions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal