.Publish Temp

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only news aggregation setup guide; its main risk is a clearly shown GitHub-based pip install that users should verify before running.

Reasonable to install if you trust or have reviewed the referenced GitHub repository and tag. Use the documented virtual environment, avoid installing as root, and remember the tool will fetch public web/RSS/HTML sources and may write local output files you specify.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to install directly from a remote GitHub repository via `pip install git+https://...`, which performs network access and executes unreviewed third-party package installation steps on the local system. Even though the dependency is version-pinned, this still expands the trust boundary to external infrastructure and code, and the skill does not warn about that risk or recommend verification before installation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal