sutrena

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Sutrena publishing integration that can create live public pages and hosted forms, so users should avoid sending sensitive content unless intended.

Install this only if you are comfortable with the agent sending site, form, dashboard, and collected-submission data to Sutrena and creating live URLs. Review content before publication, do not publish secrets or regulated personal data, and use a Sutrena-specific API key if you provide one.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to execute third-party API calls and publish user-provided content, but it does not require obtaining informed user consent or warning that prompts, page content, form fields, and possibly collected submissions will be sent to and hosted by Sutrena. This creates a real data-governance and privacy risk, especially because the skill tells the agent to act autonomously rather than present commands for user review.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal