Back to skill

Security audit

Compliance Gap Filler

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward compliance-gap advice skill; the main risk is that users may send sensitive compliance posture details to an external API.

Install only if you are comfortable sending compliance framework names and missing-control details to the provider. Avoid submitting secrets, customer data, internal evidence, system names, or detailed audit weaknesses unless your organization has approved that vendor and data handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes sending compliance-gap inputs to an external API but does not warn users that the submitted data may reveal sensitive security posture information, missing controls, or audit weaknesses. In this context, that omission is risky because compliance deficiencies can materially aid an attacker, vendor over-collection can create confidentiality concerns, and users may disclose internal control gaps without informed consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The endpoint is defined with a very broad summary ('Fill Gaps') and no detailed description of what data it accepts, what transformations it performs, or what constraints govern its use. In an agent skill context, vague operation metadata can cause over-broad invocation or misuse, especially when the API accepts open-ended compliance data and may generate authoritative-sounding security guidance without clear scope boundaries.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.