Envato Comment → Task → Google Sheet

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple, non-executable workflow that turns Envato comments into structured task JSON for a user-managed Google Sheet.

Install if you are comfortable processing Envato comment text and product URLs into a Google Sheet. Use a Google Apps Script endpoint you control, restrict sheet access, and avoid sending sensitive customer or business data unless that storage location is approved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly instructs users to send the skill's JSON output to an external Apps Script webhook, but provides no warning about what data may be transmitted, who controls the endpoint, or the privacy/security implications of exporting potentially sensitive task content. In a workflow that processes comments, URLs, classifications, severity, and customer risk fields, this can lead to unintended exfiltration of user or business-sensitive data to a third-party service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal