App Order Date Key Stats

Security checks across malware telemetry and agentic risk

Overview

This skill is an order-reporting helper, but it would connect an agent to a real business database and build SQL from user-provided values without strong guardrails.

Install only in an authorized internal environment where this agent is allowed to query the 久事体育 order database. Use a narrowly scoped read-only account, avoid broad production credentials, and require parameterized SQL or strict validation for dates and keywords before letting the skill run live queries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill explicitly reads database connection parameters from environment variables and performs live queries, but the user-facing flow does not clearly disclose that execution will access environment-provided credentials and an external database. In an agent/tooling environment, this creates a transparency and consent gap and increases the risk of unintended sensitive-resource access, especially if users believe they are only getting local formatting or templating behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal