Harrypotter

Security checks across malware telemetry and agentic risk

Overview

This is a narrow Harry Potter lookup skill that discloses public API use and shows no sensitive access, persistence, or destructive behavior.

This looks safe for public Harry Potter lookups. Be aware it sends relevant lookup terms to HP-API, and if you install using the README's external GitHub instructions, inspect the referenced executable scripts because they were not included in this reviewed package.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The instruction 'When user asks about Harry Potter' is a broad invocation trigger that can cause the agent to call this skill for loosely related requests rather than only when structured Harry Potter lookup is actually needed. While this is not directly code-execution or data-exfiltration risk, it can increase unnecessary tool use, create overreach in agent behavior, and route unrelated queries to an external API without sufficient relevance checks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal