Security audit

02 Risk Scoring

Security checks across malware telemetry and agentic risk

Overview

This appears to be a purpose-aligned assessment skill, but users should avoid pasting raw sensitive business or customer details into it.

Install/use is reasonable if you treat inputs carefully: provide aggregated metrics, redact customer identifiers and case narratives, and do not paste leaked records, contact details, addresses, credentials, or confidential complaint files unless you have a separate approved handling process.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly asks users to provide operational metrics, complaint records, and violation information, which can contain commercially sensitive data and may also include personal or case-level details. Because the skill provides no instruction to minimize, anonymize, or avoid submitting personal/confidential information, users could overshare sensitive business or personal data into the assessment flow.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill evaluates issues such as user-information leakage and serious complaints, which increases the likelihood that operators will paste incident details containing personal information. Without an explicit warning against submitting raw personal data or leaked records, the skill can encourage unsafe handling of exactly the type of sensitive information it is meant to assess.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal