Threat Radar

Security checks across malware telemetry and agentic risk

Overview

This security scanner is mostly purpose-aligned, but it substantially overstates its CVE, alerting, and scheduling capabilities, which could give users false confidence.

Install only if you treat this as a lightweight local prototype, not a dependable CVE monitoring or alerting system. Review the config before scanning, keep generated reports and logs private, and do not rely on its vulnerability results until real CVE feed retrieval, command coverage, alert behavior, and scheduling are implemented and verified.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The code claims to fetch current CVE data from NVD and GitHub but actually writes a tiny hardcoded mock dataset and leaves GitHub empty. In a security scanning skill, this creates a misleading sense of protection and can cause users to miss real vulnerabilities because scan results appear authoritative but are materially incomplete.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly advertises port discovery and local network scanning but does not present a clear consent, scope, or impact warning to the user before probing the network. Even if limited to RFC1918 ranges, active scanning can surprise users, violate local policy, and map internal services that become sensitive if logged, stored, or exfiltrated via downstream integrations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill claims alerts can be sent via WhatsApp/Telegram/Discord while also asserting 'No external services required,' creating a misleading privacy posture. Security findings, asset names, CVEs, hostnames, and exposure details may be transmitted off-system to third-party messaging platforms without a prominent warning about data disclosure and retention risks.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The SSL scan makes outbound network connections to configured domains without clear disclosure or trust boundaries. In an agent skill context, this can probe attacker-supplied hosts, leak that the environment is running the scanner, and potentially be abused for internal network reconnaissance if domains or endpoints are influenced by untrusted input.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal