A2A Marketplace

Security checks across malware telemetry and agentic risk

Overview

This is a coherent marketplace skill for finding and running paid AI tools, but users should control spending and data sharing carefully.

Install only if you are comfortable using an external marketplace plugin that can run paid third-party tools. Before execution, ask the agent to show the selected tool, provider, schema, exact input, price, and maximum total cost, especially for batch calls. Avoid sending sensitive data unless you understand the destination tool's handling terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly encourages users to execute third-party marketplace tools and notes that billing is applied automatically, but it does not present a clear warning, consent checkpoint, or guidance about financial and operational consequences. This can lead to unintended charges, execution of untrusted external tools, and risky batch actions, especially because the marketplace model normalizes trust scores without explaining their limits.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal