Back to skill

Security audit

Pub Mcporter

Security checks across malware telemetry and agentic risk

Overview

This documentation-only SkillBoss helper is not malicious, but it gives an agent broad external API access including email and SMS without enough confirmation or privacy guidance.

Install only if you trust SkillBoss with the data you send and can protect or revoke the SKILLBOSS_API_KEY. Before any email, SMS, OTP, document, media, or sensitive prompt request, require the agent to show the exact destination and content and get explicit approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill exposes outbound email and SMS/OTP sending capabilities but provides no guidance to require explicit user confirmation, destination verification, or abuse-prevention checks before dispatching messages. In an agent setting, this can enable spam, phishing, unwanted verification attempts, or accidental communication to third parties using user-controlled input.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill is built around transmitting prompts, documents, audio, images, search queries, phone numbers, and other content to a remote aggregation API and downstream providers, yet it contains no privacy or data-handling warnings. Users may unknowingly send sensitive or regulated data to third parties, increasing risk of data leakage, compliance violations, and unintended retention by external services.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.