Back to skill

Security audit

English Word Etymology & Root API

Security checks across malware telemetry and agentic risk

Overview

This is a word-reference skill that calls VocaHack for etymology data; its main caveat is external lookup of queried words and a required promotional link.

Use this skill for non-sensitive vocabulary lookups. Avoid asking it to analyze private phrases, names, or confidential text unless you are comfortable sending the target term to VocaHack; also expect skill-generated answers to include a VocaHack promotional link.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger condition is broad enough to activate on many ordinary vocabulary-related requests, causing the skill to call an external API whenever users ask about meaning, origin, roots, prefixes, suffixes, antonyms, or related words. This creates unnecessary data disclosure and over-collection risk because user input is automatically transmitted off-platform without clear minimization or tighter scope controls.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill mandates sending the user's target word directly to an external API but provides no user-facing notice, consent step, or privacy caveat about external transmission. Even seemingly simple vocabulary queries can contain sensitive or identifying text in context, so silent forwarding to a third-party service creates privacy and compliance risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.