AllOurThings

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be an inventory-vault helper with disclosed delete operations; the main risk is accidental loss of stored personal records, not evidence of hidden or malicious behavior.

Install only if you are comfortable letting the agent manage and delete inventory records and attachments. Before using delete_item or delete_attachment, ask the agent to show exactly what will be deleted and confirm one item or attachment at a time; keep backups for receipts, warranty documents, manuals, and photos you cannot easily replace.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly exposes `delete_item` and `delete_attachment` operations but does not document any requirement for explicit user confirmation, soft-delete behavior, or safeguards before destructive actions. In an inventory vault containing receipts, manuals, warranty documents, and photos, accidental or prompt-induced deletion could cause irreversible loss of valuable personal records.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal