Peace Workflow

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed HTML review workflow, but it tells the agent to send local files through Feishu without clear confirmation or destination checks.

Install only if you are comfortable with an agent sending selected local HTML files through Feishu. Before running it, confirm the exact file path, recipient or channel, and output filename, and do not use it on files that may contain secrets, private data, or confidential project content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly instructs the agent to send a user-specified file through a messaging tool without any confirmation, sensitivity check, recipient validation, or data-sharing warning. In context, this is dangerous because a broad trigger or ambiguous user request could cause unintended exfiltration of local files or confidential project artifacts to an external channel.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The workflow directs the agent to create a new versioned file on disk without clearly warning the user that a write will occur or confirming the output path. While less severe than file exfiltration, silent file creation or overwrite-adjacent behavior can cause data integrity issues, clutter repositories, or write to unintended locations if filename inputs are manipulated.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal