Qa Analyst

Security checks across malware telemetry and agentic risk

Overview

The skill appears to use session and user identifiers for its stated API workflow, with a privacy-documentation gap but no evidence of hidden or harmful behavior.

Install only if you are comfortable with the skill sending session/user identifiers and timestamps as part of its API requests. Avoid using sensitive or regulated data unless the service’s privacy, retention, and access-control practices are acceptable to you.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The skill explicitly includes sessionId, userId, and timestamps in request payloads but provides no privacy notice, retention guidance, or data-handling constraints. While these fields are common for application telemetry and personalization, documenting collection of trackable identifiers without stating purpose limitation or handling expectations creates an unnecessary privacy and compliance risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal