Polito Notes

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill coherently converts user-provided course PDFs into local bilingual notes, with privacy-relevant file persistence disclosed.

Install this if you want local Polito lecture PDFs converted into persistent bilingual Markdown notes. Before use, confirm the target course folder and avoid processing confidential, personal, or regulated PDFs unless you are comfortable with their contents being saved locally and later indexed by local-rag.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases are broad enough to cause the skill to activate on vague, common educational queries such as 'notes', 'materia', or 'lezione'. Unintended invocation can make the agent process the wrong file or store sensitive lecture/PDF content into repository paths without clear user intent, increasing the chance of data handling mistakes.

Natural-Language Policy Violations

Medium

Confidence: 81% confidence
Finding: The skill requires generating both Italian and English outputs by default without explicit user opt-in. This increases data proliferation and can duplicate sensitive or copyrighted material into multiple files, broadening exposure and retention beyond what the user may have intended.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal