Suspension

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed suspension CAD workflow that uses a third-party API, with no hidden code, credentials, or local persistence found.

Before installing, understand that suspension design parameters will be sent to jixietools.com and a guest production sheet may be created there. Avoid entering proprietary or customer-sensitive engineering data unless you trust that service, and confirm intentionally before calculation or production-sheet creation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger phrases are broad enough that ordinary conversation about suspension systems could invoke the skill unintentionally. Because the skill then guides users into transmitting engineering parameters to an external service and creating remote production sheets, accidental activation can cause unintended disclosure and remote side effects.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly sends user-supplied design parameters to a third-party API and later creates a remote production sheet, but it does not warn the user or obtain informed consent first. This creates a privacy and data-governance risk, especially if the parameters include proprietary engineering data or customer-specific vehicle specifications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal