Dgt Wait

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, with privacy disclosures around anonymous reports and IP-based rate limiting that should be clarified before use.

Before installing, check whether you are comfortable submitting report text and location-like details to the service, and look for clear retention and privacy terms for reports and IP-based abuse prevention. Avoid entering names, contact details, or other identifying information unless the service explicitly requires and protects it.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The skill claims that no IP is stored permanently while also requiring per-IP rate limiting, which creates a privacy and transparency contradiction. If implemented as documented, users may be misled about tracking practices, creating privacy, compliance, and trust risks around personal data handling.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill describes collecting user-submitted reports and enforcing IP-based query controls while emphasizing anonymity, but it does not adequately warn about the privacy implications of handling potentially identifying metadata. This can result in under-disclosed collection or retention of personal or quasi-personal data, especially when combined with free-text submissions like school names and province data.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal