Gift Up

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, but it exposes high-impact business actions like deletion, gift-card voiding, and redemption reversal without clear confirmation safeguards.

Review before installing. Use it only with accounts where you are comfortable allowing the agent to change business records, and require explicit confirmation before deleting items, voiding gift cards, undoing redemptions, refunds, or other irreversible actions. Verify exact IDs and affected amounts before any live mutation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill prominently exposes destructive and irreversible operations such as deleting items, voiding gift cards, and undoing redemptions without instructing the agent to obtain confirmation or warn about business impact. In an agent setting, this increases the risk of accidental or overly-trusting execution of state-changing actions that can cause financial loss, data integrity issues, or customer harm.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal