Back to skill

Security audit

ai-grammar-checker

Security checks across malware telemetry and agentic risk

Overview

This looks like a simple grammar-checking skill, but it is incomplete and should only be used after confirming the missing script and API provider.

Before installing, confirm the referenced Python script is supplied by the publisher and review it separately. Use a dedicated least-privileged grammar API key, avoid submitting confidential or regulated text unless you trust the provider and its retention policy, and invoke the skill only for explicit grammar/proofreading tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill advertises very broad triggers such as 'nlp related functionality,' 'Automating grammar tasks,' and 'Ai operations,' which can cause an agent to invoke it in contexts far beyond simple grammar correction. Overly permissive routing increases the chance that arbitrary user text, including sensitive content, is sent to the skill or its downstream API without clear user intent or appropriate constraints.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation states that a GRAMMAR_API_KEY is required and the script is run on user input, but it does not warn that text may be transmitted to an external service using that credential. This creates a data-handling transparency problem: users or orchestrating agents may pass confidential or regulated text to a third party without informed consent, increasing privacy, compliance, and data exposure risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.