state-machine
Security checks across malware telemetry and agentic risk
Overview
This small state-machine skill is incomplete and asks for an API key, but the reviewed artifacts show no hidden execution, persistence, or harmful behavior.
Reasonable to install as a lightweight instruction-only skill, but verify the actual scripts/state_machine.py code before running it and do not provide a real MACHINE_API_KEY until you know which service it belongs to and what permissions it grants.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
66/66 vendors flagged this skill as clean.