Skill Auditor

Security checks across malware telemetry and agentic risk

Overview

This looks like a local maintenance helper that may inspect usage history and generate cleanup commands, so it should be used deliberately but is not backed by evidence of malicious behavior.

Before installing, treat this as a local audit/maintenance tool: review what logs it reads, limit the time window where possible, and inspect any generated cleanup script before execution. Prefer dry-run output and backups before uninstalling, disabling, or archiving skills.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly instructs the agent to parse session logs and call-frequency data, but the description does not warn users that potentially sensitive usage history will be analyzed. This creates a transparency and privacy risk: users may invoke the skill without realizing it inspects behavioral data that could reveal workflows, prompts, or operational patterns.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill can generate cleanup scripts that uninstall, disable, or archive installed skills, but the markdown does not prominently warn that its output may lead to destructive system changes. Even if the script is only generated, users may execute it without fully appreciating the consequences, resulting in accidental removal or disruption of capabilities.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal