NumPy

Security checks across malware telemetry and agentic risk

Overview

This skill appears safe for NumPy coding help, with the main caveat that it can remember NumPy preferences and activation choices across sessions.

Install this if you want NumPy-focused coding help. During setup, choose whether it may activate automatically and whether it may remember your experience level, use cases, dtype preferences, and snippets; decline or clear ~/numpy/ and related MAIN memory entries if you do not want persistent personalization.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The activation guidance is overly broad because it encourages the skill to attach itself to general categories like arrays, numerical Python, or data processing, including automatic activation across future sessions. This can cause the skill to trigger in more contexts than the user reasonably expects, increasing the chance of unnecessary memory access, persistence, and scope creep in unrelated conversations.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs saving preferences to MAIN memory so they persist across sessions, but it does not require a clear user-facing disclosure or explicit consent before storing that data. Even if the data seems low sensitivity, silent persistence can violate user expectations and create privacy risk through cross-session profiling and unintended reuse of personal work patterns.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal