Security audit

Runa

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Runa bookmarking integration that sends user-chosen links, notes, and files to Runa, with no hidden executable behavior found.

Install this only if you want an agent to manage your Runa library using your API key. Avoid saving private notes, secrets, internal links, or sensitive documents unless you are comfortable with Runa storing and processing them, and review delete operations carefully before confirming.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill advertises broad trigger phrases such as 'save this text' and 'find my saved', which are common conversational patterns and can cause unintended invocation. In a skill that transmits content to a third-party API and can upload files, accidental activation increases the chance of unintended data disclosure or state-changing actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The instructions direct the agent to send URLs, text, and files to an external API and explicitly note that embedded URLs are enriched, but they do not require warning or consent from the user before transmission. This creates a real privacy and data-handling risk because users may not understand that their content is leaving the local environment and may be further processed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal