Security audit

Preview Quiz

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward RooQuiz preview helper, with the main risk being that quiz content is sent to a third-party preview service.

Install only if you are comfortable sending quiz titles, descriptions, questions, answers, and links to RooQuiz/Quizster for a temporary shareable preview. Do not use it with secrets, private business material, student records, health data, or other sensitive information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs users to POST arbitrary quiz JSON to a third-party public endpoint, but it does not prominently warn that all quiz contents are transmitted off-platform to RooQuiz infrastructure. This creates a real data exposure risk if users include sensitive, proprietary, or personal information in quiz titles, descriptions, questions, answers, or embedded links, especially because the resulting preview is browser-openable and shareable.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal