Agent Touch Layer

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed iOS Simulator automation skill with sensitive but purpose-matched capabilities, mainly needing careful use around cookies, screenshots, and the unpinned GitHub install.

Install only if you are comfortable building and running the referenced ATL GitHub project locally. Prefer a dedicated simulator, avoid using sensitive logged-in accounts unless necessary, do not share screenshots, PDFs, DOM output, or cookie values from private sessions, and stop the local ATL servers when you are done.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation exposes powerful capabilities including screenshots, cookie access, JavaScript execution, browser navigation, and native app control without an explicit privacy and system-impact warning. These features can capture sensitive page contents, session material, or app state and can manipulate local simulator apps in ways a user may not expect. Because the skill combines browser and native automation, the lack of warning materially increases misuse risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal