Security audit

AK Data Daily Timeout Report

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate reporting purpose, but it can expose raw database log request data and depends on unreviewed external scripts and database credentials.

Install only if you can review the referenced Python scripts, use a read-only database account with the narrowest practical access, keep .env secrets out of version control, and restrict generated reports because they may include raw request payloads or customer/internal identifiers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly supports returning log-enriched samples including `request`, `ext_ssn`, and other task metadata, but the documentation does not require redaction, authorization checks, or a user-facing warning before exposing those fields. Because request payloads and log records often contain tokens, identifiers, customer data, or internal parameters, this creates a real data-exposure risk rather than a purely theoretical issue.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal