Back to skill

Security audit

AI Detector

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but users should know submitted text is sent to an external detector service.

Install only if you are comfortable sending the text you analyze to GPTHumanizer. Avoid submitting secrets, private documents, personal data, or regulated content unless you have reviewed the service's privacy terms and have approval to share it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes use of an external detection API on user-provided text but does not warn that submitted content may leave the local environment and be processed by a third party. In a skill that analyzes arbitrary user text, this can lead to accidental disclosure of sensitive, proprietary, or regulated data because users and deployers may reasonably assume local-only processing unless told otherwise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example explicitly instructs users to send arbitrary text content to a third-party API, but it provides no warning about privacy, retention, consent, or data-sharing implications. Because users may paste sensitive, proprietary, or personal text into a detector service, this omission can lead to unintentional disclosure of confidential data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.