Coala Client

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-style skill for using the Coala CLI, with expected but important cautions around installing a CLI, using API keys, and importing remote tools or skills.

Install only if you trust the `coala-client` package and understand that imported MCP toolsets or skills can persist under `~/.config/coala/` and affect future chats. Import remote ZIPs, CWL files, and skills only from sources you trust, review them before loading, and handle provider API keys carefully.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly documents importing remote HTTP/ZIP sources and loading skills into local configuration directories without warning that these actions persist untrusted content on disk. In this context, that is dangerous because imported MCP toolsets and skills can expand the agent's capabilities or introduce adversarial instructions, creating a supply-chain and persistence risk beyond a one-time chat response.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal