Credence

Security checks across malware telemetry and agentic risk

Overview

Credence is an instruction-only helper that checks tools against a public trust registry, with no hidden code, credentials, persistence, or destructive behavior found.

Install only if you are comfortable with the agent contacting a third-party public registry when evaluating MCP servers or AI tools. Before acting on an APPROVED result, verify the exact server name or repository URL, because the skill permits partial matches and the registry can change over time.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger condition 'When you want to verify whether a tool is safe' is broad enough to cause the skill to activate in many loosely related contexts, potentially steering the agent into fetching and relying on an external trust registry without an explicit user request. In a security-sensitive installation workflow, this can create unnecessary external network access and over-dependence on a third-party verdict, increasing the chance of inappropriate invocation or decision influence.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal