Books

Security checks across malware telemetry and agentic risk

Overview

This is a low-risk book lookup skill, with the main caution that the reviewed package is documentation-only and points to external CLI scripts.

This skill appears appropriate for public book metadata lookups. Before installing from the README’s GitHub instructions, review or pin the external repository because the executable CLI files were not included in the reviewed package. Consider invoking it only for explicit lookup requests rather than every book-related conversation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The activation guidance is overly broad: 'when user asks about books' could cause the agent to invoke this skill for general book-related conversation, not just explicit lookup requests. This can lead to unnecessary external API calls, unintended tool use, and reduced user control, though the skill is read-only and uses a public no-auth API, which limits the severity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal