Dad Jokes

Security checks across malware telemetry and agentic risk

Overview

This skill fetches a single dad joke from HuggingFace when asked and shows no evidence of hidden access, persistence, credential use, or destructive behavior.

Install only if you are comfortable with the agent running a small Python command and making an outbound HuggingFace request whenever you ask for a dad joke. It appears narrow and low risk, but it may not work in environments that block network access or lack python3.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill performs an external network request to HuggingFace without making that behavior clear in a user-facing way. While the fetched content is low-risk joke text and the URL is hardcoded, undisclosed external access can still violate user expectations, privacy constraints, or deployment policies in environments where network use must be transparent or consented to.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal