Kannaka Eye

Security checks across malware telemetry and agentic risk

Overview

This skill describes a local glyph viewer, but its launcher runs a missing server file from outside the reviewed package, so users could execute unreviewed code.

Review before installing or running. Ask the publisher to include the intended server.js inside the skill package and update the wrapper to run that reviewed file. If you still test it, inspect the exact server.js path first, avoid sensitive inputs, leave FLUX_URL unset unless you trust that endpoint, and stop the background process when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README advertises share links and external service integrations (Radio bridge, constellation monitoring, Flux publishing) but does not warn users that submitted data may be transmitted to other local or remote services, embedded in URLs, or exposed through dashboards. In a skill that processes arbitrary user data and supports cross-service exchange, omission of clear data-handling and privacy caveats can lead to unintended disclosure of sensitive input.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal