Trend Watcher

Security checks across malware telemetry and agentic risk

Overview

This skill appears to fetch public GitHub Trending data and optionally manage local bookmarks, with no evidence of credential theft, exfiltration, destructive behavior, or hidden execution.

Safe to install for monitoring public GitHub trends, with the caveat that saved bookmarks may persist in a fixed local workspace file and public repository descriptions should be treated as informational, not trusted instructions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill advertises bookmark management and daily memory/trend logging, but the description does not clearly warn users that it may write data to local files or integrated systems such as Feishu or memory files. This can lead to unintended persistence of data, confusing side effects, or accidental disclosure into connected tooling, especially in an agentic environment where users may assume the action is read-only.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal