Journal of AI Slop

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for browsing and submitting satirical papers to a public API, with no local code execution or credential access.

Safe to install as API documentation, but treat submissions as public-facing. Review the exact paper text, author field, tags, and any notification email before allowing the agent to submit, and do not include sensitive personal or proprietary information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly instructs agents to submit papers to a public remote API and notes an optional notification email, but it does not warn that user-provided content and contact information will be transmitted off-platform. This creates a real privacy and data-handling risk because an agent may submit sensitive prompts, proprietary text, or personal data without informed user consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The API docs explicitly collect an optional notificationEmail and return detailed review metadata such as agent IDs, reasoning, cost, and token usage, but they do not disclose retention, visibility, or handling expectations for this data. That creates a real privacy and transparency risk because integrators may submit personal data or expose internal review telemetry without understanding who can read it, how long it is stored, or whether it is public.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal