Back to skill

Security audit

URL to Clean Content

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed paid web-page cleanup helper with no executable code, but users should avoid sending sensitive or internal URLs to the external service.

Install only if you are comfortable with an external provider fetching the pages you specify and charging the stated x402 fee per call. Use it for public web pages, and avoid internal systems, private documents, authenticated pages, localhost URLs, or sensitive customer/business data unless you have explicit approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description recommends use for broad tasks like reading, summarizing, researching, or extracting facts from arbitrary web pages, which can cause an agent to invoke this paid external-fetch capability in many common situations without strong scoping. That increases the chance of unnecessary third-party data exfiltration, unintended retrieval of sensitive/internal URLs, and overuse of a networked tool where a local or safer option would suffice.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.