Back to skill

Security audit

learning-system

Security checks across malware telemetry and agentic risk

Overview

The skill appears to use task and feedback data for its stated workflow, but users should treat that logging/profiling as sensitive.

Install only if you are comfortable with the skill helping record or reason over task history and feedback. Avoid using it with secrets, private personnel details, customer data, or sensitive project context unless you have clear local retention, deletion, and access-control practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly describes collecting detailed task metadata, user feedback, collaboration history, contextual project details, and performance profiles, but provides no privacy notice, consent boundary, minimization rule, or retention/access controls. In a real agent environment, this could lead to unnecessary aggregation of sensitive operational or personal data and enable profiling beyond user expectations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.