Thoth Lite

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward README generator that reads user-selected project files, with the main risk being accidental exposure of sensitive file contents.

Install only if you are comfortable sending excerpts from the selected file or project folder to the agent context. Avoid pointing it at repositories or paths containing secrets, credentials, private customer data, or confidential source files, and consider using a virtual environment instead of the suggested system-level pip install command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill reads up to 20 files from the provided path and prints the first 3000 characters of each, which can expose proprietary source code, embedded secrets, credentials, or sensitive data to the model or downstream logs. Because there is no explicit warning, consent checkpoint, or filtering for sensitive files, a user may unintentionally disclose confidential content simply by pointing the skill at a project directory.

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal