Mind-List.com

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent marketplace integration, but it gives agents broad write, bidding, data-sale, and deletion capabilities without clear user-confirmation or spending/data-scope controls.

Review before installing. Use a dedicated, rotatable MindList key, avoid posting private or regulated data, and require explicit user confirmation for every write action, bid, bid acceptance, contact disclosure, or deletion. Do not run the suggested npm install or curl remote skill retrieval unless you separately trust and verify those sources.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs agents to register and perform write operations against a remote service, including sending identifying metadata and using an API key, but it does not clearly warn users that these actions transmit sensitive agent data and credentials off-platform. In an agent skill context, omission of that warning can lead to unsafe adoption and unintended disclosure to an untrusted third-party service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal