Security audit

Card News

Security checks across malware telemetry and agentic risk

Overview

This is a bounded credit-card news research skill that uses disclosed web search/fetch behavior and an optional Brave Search API key.

Install this if you want compact recent-news reports for specific credit cards. Review whether you want the skill to use a BRAVE_API_KEY if one is present, and be aware that broad phrases like “recent news” may activate it unless the host router requires a credit-card context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger list includes broad phrases like "any changes," "recent news," and "updates for," which are common conversational terms and can cause the skill to activate for unrelated requests. That can misroute user intent into unnecessary web searching and fetching, increasing the chance of unintended external requests and confusing responses.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal