Digital Product Builder

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill fits its stated purpose, with the main caution being careful handling of the Groq API key and any text sent to Groq.

Before installing, be comfortable with running a pip install for Pillow and using Groq as an external API for copy generation. Store the Groq key outside version control, do not print or commit it, and avoid putting secrets, customer data, or confidential product plans into prompts sent to Groq.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs users to store a Groq API key in a local .env file under a workspace path, but provides no guidance on least-privilege handling, file permissions, gitignore use, or avoiding accidental disclosure in logs, archives, or shared workspaces. In an agent-skill context, this is risky because the same workspace may be inspected, copied, zipped, or exposed by other automation steps, increasing the chance of credential leakage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal