Supernal Interface

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill is coherent with its AI-interface purpose, but users should review what app actions they expose to AI before using it.

Before installing, verify the npm package source and consider pinning a trusted version. Only expose narrowly scoped AI-callable functions, avoid exposing secrets or privileged operations, and require user confirmation for actions that delete data, publish content, spend money, change accounts, or modify important records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The manifest description is extremely broad and can trigger on many ordinary development tasks involving AI integration, decorators, adapters, or CopilotKit. Overbroad activation increases the chance the skill is invoked in contexts the user did not intend, which can expose AI-callable actions and persistence features without sufficient scrutiny.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation encourages exposing application functions as AI-callable and enabling auto-registration and state features, but it does not warn that these actions may modify application data, invoke privileged operations, or persist information. In an AI-controllability framework, missing safety guidance is especially risky because developers may expose destructive or sensitive functions to model control by default.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal