03 Tech Scout

Security checks across malware telemetry and agentic risk

Overview

This is a transparent research-digest skill that searches public web sources and writes local digest files, with privacy considerations but no evidence of hidden or malicious behavior.

Install this only if you want recurring web/API research. Confirm whether daily automatic runs are enabled in your agent, use restricted API keys, avoid sensitive client names or strategy terms in keywords, and periodically review or clean the state digest files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The manual trigger phrases are broad enough to overlap with normal conversational requests, which can cause the skill to run in situations where the user did not explicitly intend a multi-source scan. Because the skill is designed to proactively search external services and generate persisted output, accidental invocation can lead to unnecessary network activity, data collection, and surprise behavior.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to automatically write digest files to persistent state without a clear user-facing warning or consent mechanism. Persistent storage of searched topics, URLs, and inferred project relevance can expose sensitive interests or work context, and surprise file creation increases the risk of privacy and operational issues in shared or automated environments.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal