Security audit

QuickStatic Skills

Security checks across malware telemetry and agentic risk

Overview

This is a small instruction-only skill for publishing public static sites, with expected upload, query, and delete API calls but no hidden code or installer behavior.

Before installing, treat anything uploaded through this skill as public and hosted by an unknown third-party service. Keep the site_key private because it controls updates and deletion, and only ask the agent to delete a site when you are sure you want it removed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly exposes a destructive DELETE operation but provides no user-facing warning, confirmation guidance, or safety constraints around its irreversible effect. In an agent setting, documenting deletion as a routine operation without caution increases the chance of accidental or unauthorized destructive actions, especially because the only identifier needed is the reusable site_key.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.