Back to skill

Security audit

Slv Benchmark

Security checks across malware telemetry and agentic risk

Overview

This benchmark skill is mostly coherent, but it can automatically read and use a saved local ERPC API key without a clear consent or redaction flow.

Install only if you are comfortable with the agent reading ~/.slv/api.yml and using an ERPC API key during benchmark runs. Review the generated config and command before execution, avoid sharing output that may contain keys, and verify the local geyserbench binary before allowing it to run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The markdown instructs the agent to check `~/.slv/api.yml` and reuse an existing ERPC API key, which involves accessing sensitive local credentials. The file does not include any warning or disclosure to the user that stored credentials may be read and used during benchmark execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.