Back to skill

Security audit

Built at GrowthX

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed GrowthX project-submission helper that reads limited project metadata and submits only after user confirmation.

Install only if you trust GrowthX and want your agent to submit project details there. Use a GrowthX-specific API key, prefer environment or protected config storage, do not share the key, and review the final project name, description, stack, URL, and status before approving submission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly tells users to store a sensitive API key in a local plaintext config file without any warning about secret handling, file permissions, or safer alternatives. This increases the chance of credential exposure through backups, screenshots, shared home directories, malware, or accidental commits if users mirror config into dotfiles.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.