IOT Engineer

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward IoT career-roadmap API skill, with the main caveat that users may send personal career assessment data to an external service.

Before installing, only send assessment details you are comfortable sharing with the roadmap service. Prefer pseudonymous session IDs, omit userId unless needed, and avoid including sensitive personal history beyond what is necessary for the roadmap.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly instructs users to submit assessment data that includes a session identifier, userId, career history, skills, and goals, but provides no privacy notice, data minimization guidance, retention policy, or handling constraints. Because this is a career-assessment workflow involving user-identifying and profiling data sent to a third-party API, the omission increases the risk of privacy harm, unintended disclosure, and unsafe downstream use.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The schema explicitly collects sessionId and optional userId, but the API spec provides no notice about purpose, retention, sharing, or protection of that data. In a career-roadmap context, these identifiers can enable tracking, linkage of assessment results to a person, and privacy harm if consumers send real identifiers without understanding how they are handled.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal