Fogbugz

Security checks across malware telemetry and agentic risk

Overview

The skill appears to manage support cases, but it grants case-changing authority without clear confirmation safeguards.

Install only if you are comfortable letting the agent change case records. Before use, require the agent to summarize the exact case ID, operation, and new status, then wait for explicit confirmation before creating, editing, closing, resolving, or reopening any case.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documents multiple state-changing operations such as creating, editing, resolving, reopening, and closing cases, but provides no guidance to require explicit user confirmation before executing impactful changes. In an agent setting, this increases the risk of unintended modifications to production project data if the model misinterprets user intent or acts too eagerly.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal