Skillboss

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward remote AI gateway that sends user-provided prompts to SkillBoss/HeyBoss and does not show hidden persistence or destructive behavior.

Install this only if you intend to use SkillBoss/HeyBoss as an external AI provider gateway. Use a dedicated, revocable API key, monitor usage, and avoid sending secrets, private files, regulated data, or sensitive prompts unless you have reviewed the provider's data-handling terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documentation explicitly instructs users to send prompts to external AI providers and to download returned media via a URL, but it does not warn that prompts, outputs, and potentially sensitive data will leave the local environment and be processed by third parties. In a multi-provider gateway context, this is especially relevant because users may not know which provider receives their data or what retention, logging, or compliance rules apply.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal