Back to skill

Security audit

Praesidia

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Praesidia integration, but it can send user content to a third-party API and make persistent guardrail changes without consistently requiring explicit confirmation.

Install only if you trust Praesidia and the configured API URL. Use a scoped API key if available, avoid submitting secrets or regulated/private content for validation unless external processing is intended, and require explicit approval before applying or changing guardrails because those settings can persist and affect production agent behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to send a POST request that creates or modifies remote guardrail configurations, which is a state-changing administrative action rather than a read-only verification function. Without an explicit confirmation step, authorization check, and clear notice that production policy will be changed, a user could trigger unintended live security-policy changes on an organization’s agents.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The validation flow sends arbitrary user-provided content to a remote API for inspection, which creates an external data exfiltration path for potentially sensitive prompts, personal data, or confidential business information. Because the skill does not require a privacy warning or consent before transmission, users may unknowingly disclose sensitive content to a third party.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs the assistant to apply guardrails that can BLOCK, REDACT, REPLACE, RETRY, or ESCALATE content, but it does not clearly require user consent or warn that these actions may alter or suppress user/agent input and output. In a skill that frames itself as a security layer, this omission can lead to silent content manipulation or operational disruption, especially if an assistant auto-applies policies based on natural-language requests.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The skill description contains broad trigger phrases such as security policies, content moderation, and general safety/discovery wording that can match many common user requests. This increases the chance the skill is invoked in situations where users did not intend third-party verification or remote policy operations, expanding exposure to external requests and state-changing actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions show how to apply a guardrail via POST but do not clearly warn that this changes a live remote configuration for an agent. In practice, an assistant following these instructions could alter production security behavior without the user appreciating the operational impact, causing outages, overblocking, or policy drift.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow encourages sending user-supplied content to a remote validation service without a clear notice that the content leaves the local environment. This is dangerous because users may paste secrets, regulated data, or proprietary text assuming the assistant is only checking locally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
README.md:566