Security audit

Dropage Deploy

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: uploads a user-selected HTML or zip file to Dropage and returns a temporary public link.

Before using it, review the HTML or zip for secrets, private assets, or proprietary content, because the selected file is sent to Dropage and becomes publicly reachable until it expires.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are broad enough to match common requests like 'share this HTML' or 'get a link', which can cause the skill to activate in situations where the user did not clearly intend to upload a local file to a public third-party service. In this skill's context, unintended activation is more dangerous because the action publishes user-provided content externally and creates a public URL, increasing the chance of accidental data exposure.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill directs the agent to upload local files to dropage.online and return a public URL, but it does not prominently warn the user that this transfers content to a third-party service and makes it publicly accessible. In this context, that omission is especially risky because users may unknowingly expose sensitive HTML, embedded secrets, internal assets, or proprietary content to the internet.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal