Deep Research Pro

Security checks across malware telemetry and agentic risk

Overview

This is a coherent web-research skill that searches public web sources, reads selected pages, and saves reports locally, with no evidence of hidden exfiltration or destructive behavior.

Install only if you want an agent to send search terms to DuckDuckGo, fetch selected third-party pages, and save research reports locally. Review any external repo or CLI script before running it, and ask the agent not to save files or not to use web access for sensitive research topics.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill is effectively designed to activate for almost any research or information-seeking request, making its trigger scope very broad. Overbroad activation can cause the agent to invoke web-searching and file-writing behavior in ordinary conversations where a narrower skill or no skill should apply, increasing the chance of unintended external access, prompt-scope expansion, and misuse of downstream tools.

External Script Fetching

High

Category: Supply Chain
Content: For the most promising URLs, fetch full content: ```bash curl -sL "<url>" | python3 -c " import sys, re html = sys.stdin.read() # Strip tags, get text
Confidence: 95% confidence
Finding: curl -sL "<url>" | python

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal