Download File

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward file-download helper that uses curl to save user-requested HTTP/HTTPS files locally, with normal caution needed around trusted URLs and overwrite safety.

Install this if you want the agent to download files for you. Before each use, confirm the source URL is trusted, choose a safe destination such as Downloads, avoid overwriting existing important files, and verify or scan downloaded files before opening or running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger phrases are broad enough to match ordinary user requests such as 'get this file' or 'download this file,' which can cause unintended invocation of a skill that performs network access and local file writes. In an agentic environment, overbroad routing increases the chance that untrusted URLs or ambiguous requests are acted on without sufficient confirmation.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill directs the agent to fetch remote content and write it to local storage but does not prominently disclose those side effects at the point of use. That omission can mislead users and higher-level planners about the sensitivity of the action, increasing the risk of silent data ingress, storage abuse, or placement of risky files on disk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal