Heat Exchanger

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed CAD drawing helper that calls an external guest workflow, with a privacy caveat about shareable links but no evidence of hidden, destructive, or malicious behavior.

Before installing, treat any generated guest_code and jixietools.com/s/... link as sensitive if the CAD parameters, manufacturing details, or output drawings are private. Only use the guest workflow for designs you are comfortable sending to the JXT service and sharing by link.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs users to create guest production sheets and access them via public-style guest codes and shareable URLs, but it gives no warning that anyone with the link or code may be able to view potentially sensitive design data. This creates a real risk of unintended disclosure of proprietary CAD parameters, manufacturing details, or business-sensitive documents.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal