RTL-SDR WFM RDS Decoder

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: records broadcast FM from an RTL-SDR and saves local audio and metadata files without hidden network, credential, or persistence behavior.

Install this only if you want an agent to run local SDR/media-processing commands and save radio recordings on disk. Use an explicit output directory, monitor disk use for long or multi-station recordings, and review generated MP3 and JSON files before sharing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill description and examples use broad natural-language triggers like 'working with RTL-SDR broadcast FM tasks' and 'scan the entire broadcast FM band,' which can cause over-broad invocation and autonomous multi-step execution. Because the skill performs shell execution and writes files, ambiguous trigger boundaries make accidental activation and excessive actions more likely than with a tightly scoped command-only skill.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation mentions default output behavior, but it does not present an explicit user-facing warning that recordings, metadata JSON, and possibly intermediate artifacts are written to disk automatically. In a skill that captures radio content and metadata, silent persistence can create privacy, retention, and disk-usage risks, especially in shared or ephemeral environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal