Box

Security checks across malware telemetry and agentic risk

Overview

This Box integration is a normal authenticated file-management skill, but users should be careful because its fallback API request path can perform writes or deletes.

Install only if you want an agent to work with your Box account. Prefer listed/read-only tools first, use raw API requests only when needed, and require explicit confirmation before uploads, permission changes, bulk operations, or deletes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents a generic proxy mechanism that supports POST, PUT, PATCH, and DELETE against the Box API without emphasizing that these calls can create, alter, or delete user data. In an agent setting, this increases the chance of destructive actions being taken through raw requests without sufficient confirmation, guardrails, or least-privilege guidance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal