us3-skill

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uploads user-chosen files to a configured UCloud US3 bucket and returns public links.

Install only if you want your agent to upload selected local files to a public US3 bucket. Avoid uploading secrets or private documents, review file paths and batch patterns carefully, and use a least-privilege UCloud key limited to the intended bucket.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill’s primary usage guidance tells users how to upload files and generate shareable links, but it does not prominently warn at the point of use that uploads go to a public bucket and will be directly accessible to anyone with the URL. This creates a real risk of accidental disclosure of sensitive documents, images, or other private data because users may reasonably assume cloud uploads are private by default.

Unpinned Dependencies

Low

Category: Supply Chain
Content: "author": "", "license": "ISC", "dependencies": { "mime": "^1.6.0", "ufile": "^0.0.15" } }
Confidence: 92% confidence
Finding: "mime": "^1.6.0"

Unpinned Dependencies

Low

Category: Supply Chain
Content: "license": "ISC", "dependencies": { "mime": "^1.6.0", "ufile": "^0.0.15" } }
Confidence: 95% confidence
Finding: "ufile": "^0.0.15"

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal