Horus Lite

Security checks across malware telemetry and agentic risk

Overview

This meeting-notes skill is purpose-aligned and has no evidence of hidden access or exfiltration, but it can echo pasted meeting text into the agent output.

Install only if you are comfortable with pasted meeting notes appearing in the agent session and possible logs. Avoid highly confidential transcripts unless you redact them first or remove the raw-note print step.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill processes raw meeting notes, which commonly contain sensitive business, personal, or confidential information, yet the workflow gives no privacy warning before echoing that content back to output. In this context, the missing warning increases the chance users will paste secrets or regulated data without realizing it may be displayed in cleartext or captured in logs.

Ssd 3

Medium

Confidence: 99% confidence
Finding: The code prints the full contents of MEETING_NOTES directly to stdout, which can expose sensitive user-supplied data such as internal discussions, names, deadlines, credentials, or incident details. In agent, terminal, or hosted environments, stdout is often logged, persisted, or visible to other tools, making this a real confidentiality risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal