Risk Assessment Compliance

Security checks across malware telemetry and agentic risk

Overview

This is a coherent external website security-check API, with the main caution that submitted URLs are sent to ToolWeb/MKKPro and should only be targets the user is authorized to assess.

Install only if you are comfortable sending target URLs to the listed external provider. Use it only for websites or applications you own or are explicitly authorized to test, and avoid submitting internal, staging, credential-bearing, or sensitive URLs unless your organization has approved that sharing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill documentation asks users to submit a target URL for analysis but does not clearly warn that the supplied URL will be transmitted to a third-party external service. This creates a data handling and consent issue, especially if users submit internal, sensitive, or non-public endpoints assuming the analysis is local or first-party.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The API defines a generic security-check capability that accepts an arbitrary URL with no documented scope restrictions, target ownership requirements, authentication, or abuse controls. In an agent context, this can enable unauthorized scanning of third-party systems or internal resources, creating misuse, legal, and SSRF-style risk depending on backend implementation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal