JEE

Security checks across malware telemetry and agentic risk

Overview

This is a JEE study-assistant skill with disclosed local progress tracking and no evidence of hidden code, network activity, credential use, or destructive behavior.

Before installing, be comfortable with the agent keeping local records in ~/jee/. Review or delete that folder when you no longer want the information retained, and avoid storing details you would not want reused in later study-planning sessions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly directs storage of user data under ~/jee/, including profile details, category, exam dates, mock results, mistakes, and feedback, but provides no notice, consent flow, retention limits, or privacy safeguards. While this is not overtly malicious, it creates a real privacy risk because sensitive educational and potentially personal data may persist on disk unexpectedly and be accessible to other local processes, backups, or later sessions.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal