File Compression

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate file-compression skill with disclosed dependency setup and no evidence of hidden data access, persistence, exfiltration, or destructive behavior.

Install only if you are comfortable with a skill that may run local compression scripts and may need Ghostscript or Python/Node dependencies. Review any sudo or package-manager command before approving it, and prefer using current patched dependency versions when processing files from untrusted sources.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill explicitly instructs the agent to execute shell commands such as Python, Node, pip, npm, and Ghostscript operations, yet it declares no permissions for shell/code execution. This creates a permission-model mismatch that can cause the skill to run with capabilities that are not transparently declared or reviewed, increasing the risk of unintended command execution and supply-chain exposure from package installation steps.

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: Ghostscript install examples: - macOS: `brew install ghostscript` - Ubuntu/Debian: `sudo apt-get update && sudo apt-get install -y ghostscript` Safety note:
Confidence: 88% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: Ghostscript install examples: - macOS: `brew install ghostscript` - Ubuntu/Debian: `sudo apt-get update && sudo apt-get install -y ghostscript` Safety note:
Confidence: 88% confidence
Finding: sudo

Unpinned Dependencies

Low

Category: Supply Chain
Content: pikepdf>=8.15.0 pillow>=10.0.0
Confidence: 95% confidence
Finding: pikepdf>=8.15.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: pikepdf>=8.15.0 pillow>=10.0.0
Confidence: 95% confidence
Finding: pillow>=10.0.0

Known Vulnerable Dependency: pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical

Category: Supply Chain
Confidence: 90% confidence
Finding: pillow

Chaining Abuse

High

Category: Tool Misuse
Content: Ghostscript install examples: - macOS: `brew install ghostscript` - Ubuntu/Debian: `sudo apt-get update && sudo apt-get install -y ghostscript` Safety note:
Confidence: 81% confidence
Finding: && sudo

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal