Back to skill

Security audit

Finops

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only FinOps guidance skill with expected cloud cost-optimization advice and no hidden execution or data-exfiltration behavior.

Install as a reference skill, but do not grant broad write access to production cloud accounts by default. Prefer read-only billing access for analysis, and require human approval, ownership checks, dependency review, rollback planning, and change windows before deleting, stopping, resizing, auto-terminating, blocking deployments, or changing financial commitments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This section recommends actions like deleting unused resources and scheduling environments to save costs, but it does not require impact assessment, backups, ownership checks, or approval gates before potentially disruptive changes. In a FinOps skill with access to billing and operational contexts, an agent or user could apply these recommendations too aggressively and cause outages, data loss, or service degradation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The governance examples include auto-termination of idle resources and blocking deployments without tags, but they omit warnings about business continuity, false positives, and operational exceptions. If implemented naively, these controls could terminate legitimate workloads or prevent urgent deployments, creating denial-of-service conditions or interrupting critical operations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.