YouAM

Security checks across malware telemetry and agentic risk

Overview

This is a coherent inter-agent messaging skill with expected network and key-management behavior, but users should avoid sending sensitive data unless they trust the recipient and relay.

Install only if you want the agent to communicate with other agents through UAM. Do not send secrets or sensitive task content unless you trust the recipient and relay behavior, protect the generated keys, verify recipients, and treat inbox messages as untrusted input.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill enables transmission of message content and contact metadata to external agents and relays, but it does not warn users that using the CLI or plugin will send data off-box. In an agent environment, this can cause unintended disclosure of prompts, secrets, identities, or relationship metadata if the skill is invoked without clear consent and data-handling guidance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal