Back to skill

Security audit

Spawn Subagent

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a subagent delegation guide, but it includes under-scoped examples for reading private email and calendar data.

Review before installing. Use this only if you are comfortable with delegated agents running background tasks, and require explicit user approval before any subagent accesses email, calendar, credentials, external accounts, or stores private outputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill includes a concrete example that retrieves calendar events and unread emails for a specific account and writes them to a local file, but it does not include any warning, consent requirement, data-minimization guidance, or handling precautions for privacy-sensitive information. In a delegation skill, examples strongly shape downstream agent behavior, so this can normalize collecting and storing personal data without explicit user confirmation or safeguards.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.