Centra

Security checks across malware telemetry and agentic risk

Overview

This appears to be a commerce-management skill, but it can guide order cancellations or similar business changes without clearly requiring user confirmation first.

Review this skill carefully before installing. Use it only with a test or low-privilege commerce account first, and require the agent to ask for explicit confirmation before cancelling orders, changing fulfillment, refunding, or modifying customer/business records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill documents destructive capabilities such as order cancellation without requiring confirmation, authorization checks, or warning about business impact. In an agentic context, this increases the chance that a vague or misinterpreted user request could lead to irreversible state changes in a live commerce system.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal