Mirrory - MVP

Security checks across malware telemetry and agentic risk

Overview

The skill appears to use disclosed authentication details for its integration, but users should handle those secrets carefully.

Install only if you intend to connect this agent to that external API. Treat the proxy secret and JWT as passwords: do not paste them into shared prompts or logs, prefer short-lived or least-privilege tokens, rotate them if exposed, and be aware that the machine identifier may identify your device or agent environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documentation explicitly instructs users to send a proxy secret, JWT token, WordPress user ID, and machine identifier to an external API without any warning about secure handling, storage, rotation, or privacy implications. In an agent-skill context, this increases the chance that secrets and device identifiers are exposed in logs, prompts, telemetry, or third-party processing pipelines.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal