SOX Compliance

Security checks across malware telemetry and agentic risk

Overview

The skill matches its SOX assessment purpose, but it asks users to send potentially sensitive audit/control information to an external API without clear data-handling limits.

Review before installing. Use it only with SOX assessment data your organization is allowed to send to the listed external service, and avoid including secrets, customer data, employee data, raw audit evidence, or detailed control weaknesses unless your compliance and vendor-review process has approved that sharing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs users to submit session identifiers, control statuses, and free-form compliance notes to a remote API, but it provides no warning that these fields may contain sensitive audit evidence, internal control weaknesses, or regulated business data. In a SOX context, such notes can reveal deficiencies in financial reporting controls and internal governance, creating material confidentiality and compliance risk if sent to a third-party service without proper disclosure, minimization, or approval.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal