Phy Security Headers

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed HTTP security-header checker that contacts user-provided URLs and does not show hidden persistence, credential use, or destructive behavior.

Install only if you want an agent to make network requests to websites or local dev servers you name. Use it on systems you own or have permission to test, and be careful with localhost, private network addresses, cloud metadata endpoints, and redirects.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly supports fetching arbitrary live URLs and localhost/dev servers, but the description does not clearly warn users that it will make outbound HTTP requests to supplied targets. In an agent setting, this increases the risk of unintended SSRF-style access to internal services, localhost applications, cloud metadata endpoints, or sensitive staging systems because users may not realize network access will occur.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal