Report

Security checks across malware telemetry and agentic risk

Overview

This reporting skill is coherent and disclosed, though users should be careful with scheduled reports and external delivery destinations.

Install only if you want an agent to maintain scheduled reports. Use least-privilege API keys, prefer local file delivery for sensitive reports, verify Telegram chat IDs, email recipients, and webhook URLs before enabling them, and periodically review ~/report plus active schedules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Webhook delivery explicitly sends report data to an external URL, yet the documentation gives no warning about external transmission, privacy implications, destination trust, or consent boundaries. Because reports may contain sensitive business or personal data, silent exfiltration to third-party endpoints creates a meaningful confidentiality and compliance risk.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Referencing email delivery via SMTP credentials without explaining credential handling or the privacy implications of email transmission is a real security concern. Users may supply sensitive credentials or transmit sensitive reports over insecure or misconfigured email paths without understanding the exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal