huo15-detective

Security checks across malware telemetry and agentic risk

Overview

This instruction-only background-check skill is not malware, but it needs Review because it can collect and package sensitive personal investigation details without clear privacy or authorization limits.

Review before installing. Use only for authorized business due diligence or lawful investigations, avoid private-person background checks without consent or a clear legal basis, and require the agent to redact unnecessary personal identifiers before creating or sharing reports.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger conditions are broad enough that ordinary requests like checking a company or person could auto-activate a background-investigation workflow without clear user confirmation or scope validation. In a skill that handles potentially sensitive corporate and personal information, accidental invocation increases the chance of collecting, inferring, or reporting data the user did not explicitly request.

Missing User Warnings

High

Confidence: 96% confidence
Finding: This section instructs the skill to conduct personnel background investigations and produce reports, but it does not require consent, lawful basis, minimization, or any warning about handling sensitive personal data. Because the workflow explicitly discusses identity disambiguation, partial ID numbers, risk records, and report generation, the missing privacy controls materially increase the risk of doxxing, unlawful profiling, and privacy violations.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill directs the agent to generate a Word document, name it, and send it to the user, but does not define output-safety boundaries, storage handling, or restrictions on what data may be written into the file. In context, the report may contain sensitive company and personal background information, so automatic document creation and transmission can lead to unintended persistence, over-disclosure, or leakage to downstream systems and users.

VirusTotal

No VirusTotal findings

View on VirusTotal