Find Skills 0

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent helper for finding and installing other skills, but users should review any third-party skill before approving a global install.

Install only when you explicitly want to add a new skill. Before running the suggested command, confirm the package name, source, and maintainer, and consider removing `-y` if you want the CLI confirmation step.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger guidance is broad enough to activate on very common user requests such as 'how do I do X' or 'can you do X,' which can cause this discovery/install skill to be invoked in situations where the user did not actually ask to search for third-party packages. In this context, that increases the chance the agent steers users toward installing external skills unnecessarily, expanding trust boundaries and creating supply-chain exposure.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill recommends `npx skills add <owner/repo@skill> -g -y`, which performs global, non-interactive installation of code from external sources without an explicit safety warning or confirmation step. In a skill specifically designed to discover and install third-party skills, this materially increases the risk of accidental or socially engineered installation of untrusted packages with persistent effects on the user environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal