Security audit

Breathe

Security checks across malware telemetry and agentic risk

Overview

This Breathe connector skill is not shown to be malware, but it needs review because its read-only framing conflicts with broader connector action authority.

Review the available Breathe actions and account permissions before installing. Use it only with an account whose Breathe permissions match what you want the agent to do, and require explicit confirmation for any write, delete, or administrative change.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The manifest and description position the skill as a read-only interface for 'searching and reading data,' but the instructions explicitly permit running any Breathe connector action and describe handling for [write] and [destructive] actions. That mismatch can mislead an agent or reviewer into granting broader operational authority than intended, increasing the risk of unauthorized state changes if additional write-capable actions exist or are later added.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger text says to use this skill for 'ANY Breathe request,' which is broader than necessary and encourages routing all Breathe-related tasks through a shell-capable connector wrapper. Overbroad invocation criteria increase attack surface by causing the skill to be selected in situations where direct, narrower, or safer handling would be more appropriate.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal