Compliance Review

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-aligned but needs review because it automates approvals in a sensitive insurance workflow while leaving key controls and data handling unclear.

Review before installing. Confirm whether the skill can approve or mutate claim-review tasks, disable first-run auto-approval unless explicitly required, verify the missing runtime code, and make sure Feishu notifications and 90-day audit logs comply with your privacy and compliance rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly states that review results are pushed to Feishu, but it does not disclose what data is transmitted, whether sensitive claims or authorization details are included, or what controls protect that transmission. In a compliance-review workflow involving insurance claim authorization letters, even review metadata can contain personal or sensitive business information, so undocumented third-party transmission creates a real privacy and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal