SIGNL4 Alerting

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward SIGNL4 alerting skill that sends and resolves alerts through SIGNL4 using a configured team secret.

Before installing, confirm that sending alert titles, messages, external IDs, service names, scenario, and location data to SIGNL4 is acceptable for your environment. Store SIGNL4_TEAM_SECRET in a protected environment or secrets manager, avoid putting sensitive secrets or regulated data in alert bodies, and rotate the team secret if it is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README instructs users to configure a sensitive team secret and send alert payloads to an external webhook, but it does not warn that alert content leaves the local environment or that the secret embedded in requests can grant the ability to trigger or close incidents. In an agent skill context, this omission is risky because users may unknowingly transmit sensitive operational data or mishandle the credential, enabling unauthorized alert creation, resolution, or alerting abuse if the secret is exposed.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal