RedTransporteAPI

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only transit CLI skill whose local server and coordinate-based route queries fit its stated purpose, with privacy precautions worth noting.

Install only if you trust the source of the `red-transporte` binary/package. Treat exact coordinates as private, avoid putting home or work locations into shared logs or shell history, and do not expose the local HTTP server publicly unless you add appropriate authentication, TLS, and access controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly documents a local HTTP API and examples that transmit precise origin and destination coordinates, but it provides no privacy notice, data-handling guidance, or warnings about exposing sensitive location data through logs, shell history, browser history, or networked API deployments. While the examples target localhost, users may still reveal home/work locations or unintentionally bind the server beyond the local machine, increasing privacy and operational risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal