2Chat

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed 2Chat connector wrapper with sensitive-account access, but its actions are scoped and it includes user-confirmation guidance for writes.

Install this only if you intend to let an agent operate your connected 2Chat account through OOMOL. Treat contact lists, webhook lists, API usage, and account details as sensitive, and review the exact payload before allowing any create or future state-changing action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill description says to use this skill for ANY 2Chat request and instead of calling the API directly, which is an overly broad trigger that can cause the agent to invoke the skill whenever 2Chat is mentioned, even when the task is only informational or does not require connector access. In an agent setting, this increases the chance of unnecessary external actions, schema inspection, or state-changing workflows being initiated without the narrowest-necessary tool selection.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal