SupaSkills

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent SupaSkills.ai lookup integration, but its example commands place user-controlled text directly into shell commands, creating a real command-injection risk.

Install only if you intend to use SupaSkills.ai and are comfortable sending search terms to that service. Protect SUPASKILLS_API_KEY like any API credential, avoid sensitive details in searches, and prefer using a scoped HTTP client or URL-encoded parameters instead of copying the raw shell examples with unsanitized user input.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to send a search query and retrieve external prompt content from SupaSkills, but it does not clearly warn that user task content may be transmitted to a third-party service. This creates a privacy and data-governance risk, especially for sensitive legal, financial, compliance, or security-related requests where users may disclose confidential information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal