Security audit

Skillboss

Security checks across malware telemetry and agentic risk

Overview

SkillBoss is a coherent API helper for routing user-requested AI tasks through external providers, with privacy and cost considerations users should understand.

Install only if you are comfortable sending task data through SkillBoss and downstream providers. Use a scoped or low-budget API key, avoid secrets or regulated data unless approved, and be careful with email, SMS, scraping, and profile lookup actions because they can affect third parties and may incur costs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises email, SMS, web search, scraping, document parsing, and speech features that inherently send user data to third-party services, but it does not disclose that prompts, files, contact details, audio, or retrieved content may leave the local environment. This can mislead users and agents into transmitting sensitive data without informed consent, increasing privacy, compliance, and data-handling risk across multiple external providers.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.