Back to skill

Security audit

Complianceradar Ai Monitor

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only compliance monitoring skill with disclosed external integrations, but users should verify its privacy and storage claims before relying on it for regulated work.

Install only with least-privilege API keys and a dedicated Slack webhook. Treat generated policy updates, audit evidence, and compliance alerts as drafts for legal or compliance review, and confirm your organization approves sending regulatory assessments or internal context to OpenAI, Slack, Google Sheets, GitHub, Notion, Zapier, or any configured storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation makes an inaccurate security/privacy claim: it says API keys are 'never logged or transmitted to third parties,' yet the skill depends on third-party services such as SEC/FDA APIs, Slack, and OpenAI, which necessarily involve transmitting secrets or authenticated requests externally. Misstating data-handling behavior can cause operators to underestimate exposure, misconfigure controls, or violate internal compliance expectations in a tool explicitly meant for regulated environments.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.