Uxc

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate remote API helper, but it deserves review because it can send agent data to arbitrary external services and persist credential-backed API links.

Install only if you need a generic remote API execution layer. Use trusted endpoints, least-privilege credentials, header-based auth where possible, and require explicit approval before calls that write data, change accounts, post publicly, or perform business or financial actions. Review and prune persistent UXC links and auth bindings periodically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly guides agents to call arbitrary remote hosts and send structured payloads, but it does not prominently warn that prompts, user data, secrets, or local-derived content may be transmitted to external endpoints. In an agent context, this increases the risk of unintended data exfiltration, especially because the skill is framed as a reusable generic execution layer across multiple protocols and auth modes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The example explicitly recommends API-key authentication via URL query parameters. Secrets in URLs are commonly exposed through logs, browser/history tooling, proxies, monitoring systems, referrer leakage, and server access logs, so normal use of this pattern can unintentionally disclose credentials.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal