DevSecOps Roadmap

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward DevSecOps roadmap API wrapper, with the main caution that users may send sensitive organizational security posture details to a third-party service.

Use sanitized or approved organizational information. Avoid submitting secrets, exact vulnerability details, internal system names, sensitive architecture notes, or personally identifying user IDs unless you trust the service operator and are authorized to share that data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documentation explicitly includes `sessionId`, optional `userId`, timestamps, and rich organizational assessment data covering security maturity, tooling gaps, and operational weaknesses, but provides no privacy notice, data minimization guidance, retention policy, or warning about sensitivity. In this context, the data can reveal an organization's security posture and identifiers suitable for correlation or tracking, making inadvertent disclosure or unsafe downstream handling materially risky.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal