Presently

Security checks across malware telemetry and agentic risk

Overview

This instruction-only presentation API skill is purpose-aligned, but users should be careful about sending private text or optional email data to the external provider.

Install only if you are comfortable sending presentation source text to ToolWeb's external API. Omit user_email unless needed, use a non-sensitive user_id where possible, and avoid confidential, personal, or regulated content unless the provider's privacy and retention terms are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documentation explicitly includes collection of user_id and user_email in requests, but provides no privacy notice, purpose limitation, retention guidance, or handling constraints. In an agent ecosystem, this increases the risk of unnecessary transmission of personally identifiable information to a third-party API and can lead to privacy, compliance, or data minimization failures.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The schema accepts personal data fields such as user_id and user_email for the /create endpoint but provides no privacy notice, purpose limitation, or data-handling guidance. This increases the risk of unnecessary collection or transmission of PII to the service, which can lead to privacy violations, compliance issues, or accidental leakage if consumers send sensitive user data without informed consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal