Back to skill

Security audit

VirusTotal 样本查询

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed VirusTotal hash lookup helper with scoped web/API use and no install-time code.

Install only if you are comfortable sending queried hashes to VirusTotal. Prefer an official VirusTotal API key over browser automation, use a limited and revocable key, and avoid using this skill for enterprise or high-volume workflows unless you have checked VirusTotal’s terms and your organization’s policies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to use browser automation to access and scrape VirusTotal when no API key is provided. This expands the skill from passive formatting into active web interaction and data extraction, increasing attack surface, legal/compliance risk, and the chance the agent performs unintended navigation or scraping beyond the minimal task.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.