Back to skill

Security audit

MYR

Security checks across malware telemetry and agentic risk

Overview

The skill’s purpose is coherent, but it recommends high-impact installation and network sync steps that users should review before allowing an agent to run them.

Review the GitHub repository and installer before using the one-line curl-to-bash install, or prefer the manual install path with a pinned revision. Only start the persistent server on a trusted network, keep auto-approval disabled unless the environment is controlled, verify peer fingerprints out of band, and check which reports are marked shareable before syncing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger list contains broad phrases such as 'MYR', 'what did we learn about', and 'peer sync' that could match normal conversation and invoke the skill unintentionally. Because this skill can initiate installation, networking, peer management, and data import/export behaviors, accidental activation increases the chance of unintended sensitive operations or unsafe guidance being surfaced.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill introduces an HTTP server, peer discovery, report sharing, and peer announcement flows without a prominent upfront warning about privacy exposure, trust boundaries, and integrity risks. In context, these features can expose node metadata, enable data sharing across systems, and expand attack surface, so burying the warning later makes operator misuse more likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.