Data Privacy Checklist

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ToolWeb API-backed privacy checklist, with the main risk being that assessment answers are sent to a third-party service.

Install only if your organization is comfortable sending privacy-control answers, optional notes, and a session ID to ToolWeb.in under a ToolWeb API key that may consume billable quota. Do not include unnecessary confidential details, and treat partial results carefully because unanswered areas may be scored as non-compliant.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The skill says it will gather user-provided compliance inputs, but also allows omitted areas to be sent or inferred such that the external service scores missing areas as 0% compliant. That can produce materially misleading privacy assessments by converting unknowns into failures without explicit user approval, which may drive incorrect remediation or compliance decisions.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The trigger phrases are broad enough to match ordinary privacy or compliance questions, increasing the chance the skill activates when the user did not intend to use a third-party assessment workflow. In this skill, overbroad routing is more dangerous because activation leads into collection and transmission of organization-specific privacy posture data to an external API.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill instructs the agent to collect detailed organizational privacy and compliance information and send it to a third-party API, but it does not require a clear user-facing disclosure or consent for that transmission. This can expose sensitive internal governance, incident response, vendor, and cross-border transfer details to an outside service, creating confidentiality, contractual, and regulatory risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal