HPD Pipeline

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent project workflow, but it tells the agent to run an unspecified Gemini API script for image generation without defining what runs or what data is sent.

Review before installing. The structured HPD workflow is understandable, but only use the Gemini fallback after confirming exactly which script will run, what account or API key it uses, and whether project details may be sent outside your workspace.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 98% confidence
Finding: The instruction 'Tüm çıktılar Türkçe olmalıdır' forces a specific language for all outputs. This is a natural-language policy concern because the file does not offer a user choice or explain a justified region-specific constraint.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal