Skill

Security checks across malware telemetry and agentic risk

Overview

This TTS skill is documentation-only, and its disclosed voice, cache, update, and cleanup commands fit its stated audio purpose.

Before installing, be comfortable with local audio caching and voice asset downloads. Use cleanup after sensitive sessions, and check any separately installed command implementation before allowing update or cleanup actions to run automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill advertises `/agent-vibes:update` and `/agent-vibes:cleanup`/`clean` without any warning that they may modify the installation state or delete cached local files. In an agent-executed context, terse command descriptions can encourage users or downstream agents to invoke them automatically, creating risk of unintended updates, loss of cached data, or changes to a working environment.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal