ARC Creator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed, user-directed helper for creating ARC research repositories, with ordinary local file and optional DataHUB sync risks users should review.

Use a dedicated empty ARC folder, review copied files and `git status` before `git add -A`, confirm the DataHUB host and repository visibility before pushing, and use a narrowly scoped token for the intended DataHUB service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs users to push ARCs to remote DataHUB hosts without an explicit warning that research data, metadata, contact details, and possibly unpublished results will leave the local system. In this context, ARCs can contain sensitive scientific metadata and large datasets, so omission of a clear transmission warning can lead to accidental data disclosure to external infrastructure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal