Plashboard Admin

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Plashboard admin skill, but it can automatically create, activate, and run live dashboards from broad natural-language requests without a confirmation step.

Install only if you trust the Plashboard tools and want an agent that can make live dashboard changes directly. For production use, require operators to ask explicitly before activation, deletion, or run-now actions, and review the target dashboard/template before letting the skill act.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs the agent to convert broad natural-language requests like 'I want dashboard X' into tool-driven creation and activation actions. That creates an overbroad trigger surface where ordinary conversational requests can be interpreted as authorization to make persistent system changes, increasing the chance of unintended dashboard deployment or modification.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill directs the agent to automatically onboard, activate, and immediately run dashboards from natural-language input with no user-facing warning or confirmation. Because these are impactful state-changing operations, an ambiguous or maliciously phrased request could cause unauthorized activation of a live dashboard, service disruption, or exposure of incorrect content.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal