Security audit

Agent Trend Radar

Security checks across malware telemetry and agentic risk

Overview

This is a coherent trend-analysis skill that uses web search and LLM APIs as advertised, with ordinary third-party data-sharing and API-key considerations.

Install only if you are comfortable sending entered keywords, generated search queries, and retrieved article snippets to Tavily and the selected LLM provider. Use quota-limited API keys and avoid running npm start if you do not want the included sample job to make API calls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The README states that the skill uses Groq and Tavily, including web search, but does not disclose that user-supplied keywords and related query data may be sent to external third-party services. This creates a transparency and privacy risk because users may provide sensitive or proprietary terms without realizing they will leave the local environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical

Code: suspicious.env_credential_access
Location: src/fetcher.ts:8