Vehicle

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward vehicle-engineering CAD workflow that sends user-entered design parameters to the stated JXT/jixietools API, with privacy caution warranted but no evidence of hidden or destructive behavior.

Install this only if you are comfortable sharing vehicle design inputs and generated production-sheet references with jixietools.com. Because the skill creates guest-access production sheets without login, treat guest codes and links as sensitive and avoid entering confidential business specifications unless that service is approved for your use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger phrase includes the bare English word "vehicle", which is overly broad and can cause accidental invocation in unrelated conversations. This increases the chance that users are routed into a workflow that collects engineering parameters and transmits them to an external service without clear intent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to send user-supplied parameters to a third-party API and to poll production-sheet status, but it never tells the user that their data will leave the platform. This creates a privacy and transparency risk, especially because engineering specifications, filenames, and guest access codes may be sensitive business information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal