Find Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it should be reviewed because it can guide agents to globally install third-party skills while skipping confirmation prompts.

Install only if you want an agent to search for third-party skills, and require explicit approval before any install command. Prefer reviewing the target skill source, publisher, permissions, and dependencies, and avoid `-g -y` unless you intentionally want a persistent user-wide install with prompts suppressed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly recommends `npx skills add <owner/repo@skill> -g -y`, which performs a global installation and suppresses confirmation prompts without requiring any warning, trust check, or user re-confirmation. In a skill-discovery context, this increases the chance of silently making system-affecting changes based on search results or conversational flow, which could install untrusted third-party code or persistent agent behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal