sentinel_download

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Sentinel satellite imagery search and download skill, with expected network and file-download behavior plus setup cautions.

Install if you are comfortable with a tool that contacts STAC services and downloads imagery. Use a virtual environment for Python dependencies, avoid --check-deps unless you intend to install packages, choose a non-sensitive output folder, and prefer trusted STAC endpoints because remote item metadata influences local download paths.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The wrapper script automatically installs Python packages with pip when dependencies are missing, which expands its behavior from a downloader into package management and executes network-fetched code on the user's system. In a security-sensitive agent context, this is risky because package installation may pull unpinned or tampered dependencies, modify the environment unexpectedly, and bypass user review.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal