Back to skill

Security audit

Summon Translator Skill

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward translation skill that uploads user-selected files to a paid translation API, with no hidden code or automatic behavior found.

Install only if you are comfortable sending selected documents to Summon Translator and the chosen AI provider. Use a dedicated revocable API key, monitor billing, and do not upload secrets, regulated data, or confidential documents unless your organization has approved that workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to upload arbitrary local files to a third-party translation API, but the command usage section does not prominently warn that file contents will leave the local environment and be processed remotely. Because the described use cases include compliance, supplier, and safety documents, users may transmit sensitive, regulated, or confidential material without informed consent or proper review.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.