Match Loop by John Perry

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only workflow for iterative app building and visual QA, with expected browser/screenshot activity but no hidden install, persistence, credential handling, or exfiltration behavior found.

Install this only if you want an agent workflow that can edit a project, run local commands, open a browser, take screenshots, and coordinate generator/analyst sub-agents. Use it on a scoped project or branch, review dependency installs and commands, and avoid showing secrets, private customer data, tokens, or unrelated logged-in browser sessions during visual QA.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs an analyst agent to open applications, inspect rendered UIs, take screenshots, and review console/network/API behavior, but it does not require consent checks, redaction rules, or handling guidance for sensitive data. In real use, this can expose credentials, personal data, internal URLs, tokens in dev tools, or other confidential information during visual QA and debugging workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal