Back to skill

Security audit

agent-metrics-monitor

Security checks across malware telemetry and agentic risk

Overview

This skill is a self-contained metrics helper, with only minor cautions around local dashboard export examples and sensitive values in metric labels.

Before installing, review the source if publisher provenance matters to you. When using it, avoid placing tokens, secrets, raw prompts, or personal data in metric labels or error types, and choose a confirmed output path before copying the Grafana dashboard file-writing example.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The documentation instructs users to write a Grafana dashboard JSON file with fs.writeFileSync using a fixed filename and no warning about overwriting existing local files. While the path is not attacker-controlled here, this can still cause accidental data loss or clobber an existing file when users copy-paste the example into a real environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.