SIGAA

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed SIGAA portal automation helper, but users should handle the required academic credentials carefully.

Install only if you intend an agent to access your SIGAA account. Verify SIGAA_URL and any CAS redirect before login, avoid shared or logged environments for SIGAA_USER/SIGAA_PASSWORD, unset credentials after use, and require explicit confirmation before any enrollment, attendance, or grade-changing workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly instructs users to export SIGAA credentials, including a password, into environment variables but does not warn that env vars can be exposed through shell history, process inspection, child processes, crash dumps, or CI logs. Because this skill handles real academic credentials for student and professor portals, the omission increases the chance of credential leakage in operational use.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal