Web Vulnerability Assessment

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ToolWeb API-backed security assessment skill, but it sends application and organization details to an external paid service.

Install only if you intend to use ToolWeb for web vulnerability assessments and are allowed to share the requested application and infrastructure details with that provider. Avoid submitting secrets, internal hostnames, customer data, or regulated details unless your organization permits it, and monitor API key usage because successful calls are described as billable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to collect and transmit organization name, application name, technology stack, deployment environment, and assessment scope to a third-party API without requiring user consent or providing a clear privacy/data-sharing warning. In a security-assessment context, these details can be highly sensitive because they reveal internal architecture, security priorities, and potential attack surface to an external service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal