Back to skill

Security audit

Fabric Bridge

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a straightforward Fabric CLI bridge, but users should remember that content sent through it may leave the local machine via Fabric's configured AI providers.

Install this only if you intend to use Fabric and understand how your local fabric-ai CLI is configured. Do not pass secrets, private documents, credentials, proprietary data, or private URLs through this skill unless you are comfortable with Fabric and its model providers processing that content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description contains broad trigger phrases like general content analysis, writing improvement, summarization, and mentions of 'fabric', which could cause the agent to invoke this skill for many ordinary requests. Because the skill routes content into an external CLI/service ecosystem, over-broad invocation increases the chance of unintended data disclosure or unnecessary external processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation shows examples that send text, files, URLs, YouTube links, images, context, and session data through `fabric-ai`, but it does not clearly warn that this may transmit user content to external AI/API-backed services. Users or calling agents may therefore expose sensitive data to third parties without informed consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.