Security audit

Password Generator

Security checks across malware telemetry and agentic risk

Overview

This is a local password generator, but its listing includes unrelated financial referral links that users should ignore.

Install only if you are comfortable with the publisher's promotional metadata. Do not treat the crypto or stock links as part of the password workflow, and avoid analyzing real passwords unless you are comfortable with them being echoed in local terminal output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The manifest description mixes the stated password-generator purpose with broad promotional language and unrelated crypto/stocks referral content. This weakens scope clarity for users and platforms, increases the chance of deceptive installation or invocation, and can serve as social-engineering bait unrelated to the skill’s security function.

Natural-Language Policy Violations

Low

Confidence: 93% confidence
Finding: The description embeds hard-coded external referral links, including a locale-specific URL, without any user-driven action or justification in the manifest. Even in metadata, this is risky because it introduces off-platform redirection and monetization behavior unrelated to password generation, which is a strong indicator of phishing, tracking, or deceptive promotion.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal