Apps

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple app-recommendation helper that stores app preferences locally, with no evidence of hidden execution, account access, or data exfiltration.

Install this if you want the agent to remember app preferences and recommendation history. Review or delete ~/apps/ if you do not want that information retained, and avoid putting sensitive personal notes in those files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly persists user preferences, app history, dislikes, and wishlist data under `~/apps/` but does not instruct the agent to obtain user consent, disclose retention, or minimize stored data. Even though the storage is local and not obviously exfiltrated, this creates a privacy risk because sensitive behavioral preferences may be retained longer than the user expects and could be accessed by other local processes or users on the same system.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal