V19 Agent Rating

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for an agent-rating API, with user-run examples and no hidden code, but users should verify the external service before using its keys or registration endpoint.

Safe to install as documentation. Before running the curl commands, confirm you trust the Cloudflare-tunnel service, avoid sending sensitive agent names, and use only test or least-privilege governance keys you are comfortable sharing with that endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill explicitly publishes a usable API key and demonstrates how to call the remote service with it, without any warning about scope, rate limits, abuse, or revocation. Even if intended for public demo access, embedding a live credential in a distributable skill invites unauthorized use, quota exhaustion, monitoring blind spots, and downstream trust confusion if the key is reused or overprivileged.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal