Sync Adapter

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Google Sheets sync helper, but users should verify the credential file and spreadsheet destination before using it.

Before installing or running it, confirm the service-account JSON belongs to you, has only the minimum Google Sheets permissions needed, and that the spreadsheet ID is your intended destination. Treat the cron sync as an automated process that may append private expense or investment data without further prompting once configured.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill documentation explicitly references a local service-account credential file path and describes using it to obtain OAuth access tokens for Google Sheets. Even though it does not expose the key contents directly, embedding credential location and operational details in a reusable skill materially increases the chance that an agent or downstream automation will access sensitive credentials without explicit user consent or safety controls.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal