ANCC

Security checks across malware telemetry and agentic risk

Overview

This skill is not plainly malicious, but it needs review because its audit workflow may inspect sensitive local credential and history locations through an external CLI.

Install only if you specifically want to use the ANCC CLI for local agent/tool auditing. Prefer pinned or verified releases over latest downloads, run scoped commands where possible, and review audit output before sharing because it may reveal sensitive local configuration or credential paths.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The description is broadly phrased around discovering, validating, integrating tools, auditing security, checking token budgets, and building tools, which can match a wide range of user intents beyond a narrowly scoped capability. In agent skill-selection systems that rely heavily on descriptions, this increases the chance the skill is invoked in unrelated contexts, potentially causing unnecessary exposure to sensitive environment information or encouraging installation-related guidance when not needed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal