dot eprint Quote/0

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Dot e-ink display control skill that uses the user’s Dot credentials to query and update their device, with no hidden or unrelated behavior found.

Install this only if you want the agent to control your Dot display. Treat DOT_API_KEY as a credential, confirm before asking the agent to push text/images or switch content, and avoid sending private images, links, or messages you would not want displayed or transmitted to the Dot API.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill performs state-changing operations that directly alter a physical device's display, but it does not instruct the agent to warn the user or confirm before executing push/switch actions. In an agent setting, this can lead to unintended or socially harmful actions on the user's device, especially when ambiguous prompts trigger immediate display changes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal