Forms

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only forms guide with expected integration examples; users should still handle form data and API keys carefully.

Safe to install as documentation. Before using generated forms or snippets, confirm where submissions go, avoid sending sensitive fields to chat or broad automation tools, keep API keys out of prompts/logs, use least-privilege tokens, pin Docker/package versions for production, and define retention/deletion rules for any data stored under ~/forms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The file provides numerous examples that send form submission data, including personally identifiable information such as names, email addresses, and messages, to third-party services without any accompanying privacy notice, consent guidance, data minimization advice, or warning about regulatory obligations. In a forms skill, this is materially risky because users are likely to copy these examples into production workflows that process real user data, increasing the chance of silent data sharing and noncompliance.

External Transmission

Medium

Category: Data Exfiltration
Content: ### Telegram ```bash curl "https://api.telegram.org/bot${BOT_TOKEN}/sendMessage" \ -d "chat_id=${CHAT_ID}&text=New form: user@example.com" ```
Confidence: 88% confidence
Finding: https://api.telegram.org/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal