Jack Cloud

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Jack Cloud deployment helper, but using it can upload source code and change live cloud resources.

Install only if you intend to use Jack Cloud for live deployments. Before running deploy, database-write, secret, or domain commands, confirm the project directory, the logged-in Jack account, and that the repository does not contain code or secrets you do not want uploaded.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill’s invocation text is broad enough to match many generic development requests such as creating APIs, websites, or backends, which can cause the agent to select this skill in situations where cloud deployment is not necessary. Because the skill includes guidance to authenticate, upload source code, and deploy to external infrastructure, over-invocation increases the chance of unnecessary code exfiltration or unintended external actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal