Industry Research

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent industry-research workflow that uses expected research tools and saves a scoped report, with no evidence of hidden or destructive behavior.

Before installing, confirm that Exa, Firecrawl, and Ahrefs are approved for the client data you plan to research. Expect the skill to read existing product-marketing context files when present and to create or update a research report under .agents.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The skill instructs the agent to read local project files for context without requiring user awareness or confirmation. Even though the referenced file is plausibly legitimate, it normalizes silent access to workspace contents and may expose sensitive business context or client data beyond what the user intended to share in the current interaction.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill directs writing a generated artifact into the workspace without warning that it will create or overwrite files. This can unexpectedly modify project state, clobber existing artifacts, or leave sensitive research data in a shared repository, especially when the client-derived filename is not explicitly confirmed by the user.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal