Tautullu

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward Tautulli helper that reads data from the user-configured Tautulli server using an API key.

Install only if you intend to let the agent read Tautulli server, user, and viewing-history data. Keep TAUTULLI_API_KEY out of shared logs, screenshots, shell history, and repositories, and rotate it if it may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The skill instructs users to set a long-lived API key in an environment variable but provides no warning about protecting it from shell history, logs, process listings, screenshots, or accidental sharing. Because the key grants access to Tautulli data about users, viewing history, and server state, disclosure could expose sensitive household media activity and server metadata to unauthorized parties.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal