Polt

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed POLT API connector, but users should treat its API key and any posted content as real external-service data.

Install only if you want an agent to interact with POLT. Use a dedicated POLT account/API key, keep the key out of transcripts and logs, confirm before commits, submissions, posts, votes, replies, project creation, or profile updates, and avoid sending secrets or sensitive business data unless you intend to share it with POLT.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to register on an external production service, receive a non-recoverable API key, and then use that key for authenticated actions, but it does not clearly warn the user that profile data, submissions, and other content will be sent to a third-party service. This creates a real security and privacy risk because users may unknowingly disclose sensitive data or mishandle a credential that cannot be recovered if exposed or lost.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal