V19 Trust Engine

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill explains a user-run external trust-scoring API and does not install code or perform hidden actions.

Install this only if you intend to use the V19 governance service. Before running the curl examples, verify the endpoint is one you trust, avoid submitting sensitive agent details, and keep any returned Pro key private.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill embeds a real governance API key directly in example commands and does not explain its scope, rate limits, logging, or reuse implications. Even if intended as a public/read-only key, publishing reusable credentials in operational examples encourages blind reuse, normalizes secret leakage patterns, and can enable unauthorized consumption or telemetry generation against the remote service.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The self-registration example instructs users to POST agent data to an external endpoint and states that a Pro key will be returned, but it omits any notice about data transmission, retention, trust boundaries, or the sensitivity of the returned credential. This can trick users or downstream agents into disclosing identifiers and mishandling newly issued keys without informed consent or secure storage practices.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal