Security audit

Data Labeling Studio

Security checks across malware telemetry and agentic risk

Overview

This skill does not look like malware, but it presents random demo annotations and synthetic quality scores as if they were real labeling and quality-control results.

Treat this as a demo or scaffold, not a trustworthy data-labeling tool. Do not use its generated annotations or quality scores for model training, dataset acceptance, or business decisions without replacing the mock logic and manually validating results. Run it in a virtual environment and only on datasets you are authorized to process.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The tool presents itself as an annotation quality checker, but the IoU and other reported metrics are fabricated or simulated rather than computed from real data. This can mislead users into trusting invalid quality reports, causing downstream decisions, model evaluation, or dataset acceptance to be based on false evidence.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: This skill processes text, audio, image, and video datasets, which commonly contain personally identifiable, confidential, or regulated information. Omitting any privacy warning or handling guidance can lead users to process sensitive data without considering consent, minimization, retention, or secure storage, increasing the risk of data exposure or noncompliance.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal