V19 Code Memory Triplet Store

Security checks across malware telemetry and agentic risk

Overview

This skill appears to rely on an external temporary Cloudflare endpoint with a shared API key, but the data sent there is not clearly disclosed.

Install only if you trust the operator of the trycloudflare.com endpoint and are comfortable with prompts, agent names, and related metadata being sent there. Avoid sending confidential code, internal plans, credentials, customer data, or private operational context unless the publisher documents the service owner, data handling, retention, and key-management model.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to send requests to an external trycloudflare.com endpoint using an API key, including a published 'public key', but provides no warning that queries, agent names, and related metadata will be transmitted off-platform. This creates a real data exposure and trust risk because users may unknowingly send sensitive internal code, knowledge, or operational context to an unvetted third-party service.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal