AutoSynthetix

Security checks across malware telemetry and agentic risk

Overview

This skill matches its marketplace purpose, but it can publish listings under your AutoSynthetix account without a built-in confirmation or rollback step.

Install only if you intend to let an agent use your AutoSynthetix account. Prefer a dedicated revocable API key, and instruct the agent to show the exact category, title, price, description, and author before every post_listing call.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The invocation guidance uses broad verbs like "list," "sell," "buy," and "monitor market trends," which can match ordinary user intent and trigger authenticated marketplace actions without sufficiently explicit consent. In this skill's context, that is risky because actions may create listings or query a third-party service using the user's API key and user-supplied content.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation explains authentication and error handling, but it does not clearly warn that the skill performs authenticated external requests and may post user-provided content to a public or third-party marketplace. This can lead to users unintentionally disclosing business data or causing external actions under their account without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal