Security audit

Source Scout

Security checks across malware telemetry and agentic risk

Overview

Source Scout is a disclosed web-research skill for factual answers, with ordinary citation and optional image-attachment behavior and no evidence of hidden or harmful actions.

Install this if you want factual questions answered with web searches, citations, and occasional sourced images. Avoid using it for sensitive private questions you do not want sent to search tools, and treat downloaded images as untrusted until verified.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill's trigger criteria are extremely broad, covering common factual question forms like "what/where/who/how/why" and instructing activation even when the user does not ask for sources. That can cause unintended invocation of a web-browsing, source-fetching workflow for ordinary queries, increasing the chance of unnecessary external access, privacy leakage through search queries, and unexpected tool use.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly instructs downloading remote images to local storage and provides a shell pattern using curl, but it does not require user consent, content-type validation before download, size limits, domain allowlisting, or safeguards around handling untrusted files. This creates risk from unexpected file writes, retrieval of malicious or oversized content, and unsafe handling of attacker-controlled remote resources.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal