Back to skill

Security audit

json-converter

Security checks across malware telemetry and agentic risk

Overview

This is a small JSON-conversion skill with no bundled executable code, but its API-key requirement and trigger wording need caution before use.

Before installing, confirm what service JSON_API_KEY belongs to and whether JSON inputs are sent off-machine. Avoid using it with secrets, personal data, proprietary data, or regulated information unless you understand and approve that data flow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The 'When to Use' section is broad enough that an agent could invoke this skill for loosely related 'processing' or 'data operations' tasks without clear user intent boundaries. In practice, ambiguous triggers increase the chance of inappropriate execution, especially because the skill also references an API key, implying possible external service use during conversion.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill requires a JSON_API_KEY but does not warn users why the key is needed, whether data is sent to an external service, or what data handling occurs. This omission can cause users or agents to process sensitive JSON under the false assumption that conversion is purely local, leading to unintended disclosure of confidential data.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.