Common-Fetcher

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a normal data-fetching tool whose network access, scraping/API use, scheduling, and file output fit its stated purpose.

Before installing, confirm which RSS feeds, websites, APIs, schedules, AI providers, and output directories it will use. Treat it as a networked collector: configure rate limits and retention, avoid collecting sensitive or unauthorized content, and disable scheduled runs unless you want ongoing background collection.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documentation explicitly describes web scraping, API access, scheduled execution, and writing outputs, but it does not disclose that the skill will perform outbound network requests and persist fetched data to files. In an agent environment, this can lead to unexpected data egress, compliance issues, or accidental collection/storage of sensitive content because operators may enable the skill without understanding its network and file-system behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal