AIOT Engineer

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward AIoT career-roadmap API skill, with ordinary profile and session data sharing for personalization.

Safe to install as an API-description skill. Before using the roadmap endpoint, avoid sending confidential employer details, secrets, or unnecessary personal identifiers, and treat sessionId/userId values as data that can link activity across requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill documentation explicitly instructs users to submit assessment profiles along with session identifiers, timestamps, and optional user IDs, but provides no privacy notice, data minimization guidance, retention statement, or warning that this information is sent to a third-party API. While the fields are not highly sensitive by themselves, the combination of career goals, background, timestamps, and persistent identifiers can enable profiling, linkage across sessions, and unnecessary exposure of personal data.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The request schema collects session identifiers, timestamps, and optional user identifiers without documenting data handling, retention, or privacy expectations. While not an exploit primitive by itself, this creates a real privacy and trust risk because consumers may send linkable user/session data to the service without informed consent or clear minimization boundaries.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal