Product Changelog

Security checks across malware telemetry and agentic risk

Overview

This is a coherent changelog-writing skill with disclosed optional inference.sh visual-generation workflows, but users should be careful with the external installer and private product data.

Install this only if you trust inference.sh and the `infsh` CLI. Prefer the manual checksum-verification path in sensitive environments, and do not use the visual examples with private app URLs, unreleased screenshots, credentials, or customer data unless sending that material to the external provider is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to install software by piping a remote script directly into `sh`, which executes network-fetched code without prior inspection. Even though the text claims checksum verification and limited installer behavior, those assurances are embedded in the same untrusted content and do not eliminate the risk of supply-chain compromise, script tampering, or misleading users into unsafe execution habits.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal