Dom Observer Pro

Security checks across malware telemetry and agentic risk

Overview

This skill describes a DOM monitoring utility that can read page content, so it is privacy-sensitive but disclosed and aligned with its purpose.

Install only if you need DOM monitoring. Before using the npm package, review its source and dependencies, limit selectors and host permissions, disable image/link extraction unless needed, avoid monitoring sensitive pages, and define clear consent, retention, and telemetry rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill explicitly advertises automatic content extraction, real-time monitoring, and use cases such as social media monitoring, chat message detection, data collection from SPAs, and user behavior tracking, but provides no privacy notice, consent guidance, data handling limits, or retention constraints. In a browser/extension context, this can lead operators to collect user-generated or sensitive page content without adequate disclosure or safeguards, increasing the risk of privacy violations and policy noncompliance.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal