Aloudata CAN SKILLS - metric-attribution

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only metric attribution skill that uses a disclosed Aloudata API key and network access for its stated analytics purpose, with some scope and metadata cautions.

Install only if you trust Aloudata and intend the agent to query CAN Gateway business metrics. Use a least-privilege CAN_API_KEY, avoid configuring a key with broader data access than needed, and be aware the broad trigger phrases may cause the skill to run on ambiguous metric-change questions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

High

Confidence: 96% confidence
Finding: The trigger conditions are extremely broad and include common phrases like asking 'why did it rise/fall' or 'what reason', which can cause the skill to activate for many ordinary analytical conversations. Over-broad auto-invocation is dangerous here because this skill has network:outbound and env:read permissions and instructs the agent to query an external API, so accidental triggering can lead to unnecessary external data transmission and secret use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal