AI Leaderboard

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public AI leaderboard and model-pricing data, with disclosed browser automation and no evidence of hidden local data access or harmful behavior.

Install this if you want live AI leaderboard and OpenRouter model lookup. Be aware it can invoke browser automation and visit external ranking sites for fairly broad model-comparison requests; use a non-sensitive browser context if automated page access concerns you.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The description embeds many broad trigger phrases such as 'best AI models', 'model comparison', and similar generic terms that are likely to appear in normal conversation. This can cause unintended invocation of a skill that has network and shell-adjacent capabilities, increasing the chance of surprising or unsafe activation.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The dedicated trigger keyword section contains numerous ambiguous phrases in English and Chinese, including everyday benchmark and comparison language without strict scope qualifiers. In context, this is more dangerous because the skill can drive browser automation and command execution after activation, so accidental matches can lead to unnecessary remote interaction.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal