Back to skill

Security audit

BrewPage Publish

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to publish content to a public hosting service, but its broad triggers and weak disclosure could cause users to expose files more easily than they expect.

Review this skill carefully before installing. Use it only for content you intentionally want to publish publicly, avoid secrets or private files, and look for an explicit confirmation step before any upload to brewpage.app.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list is very broad and includes generic phrases like 'publish', 'share link', 'share a file', and 'deploy site', which can cause the skill to activate in contexts where the user did not clearly intend public internet publication. In this skill's context, unintended invocation is especially risky because the action uploads user-provided content to an external public hosting service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill does not prominently warn that the requested content is uploaded to a public external hosting service and exposed via a shareable URL. Users may provide sensitive files, source trees, reports, or internal documents without understanding that the destination is public internet hosting, creating a serious data exposure risk.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.