Quotly Style Sticker

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed quote-sticker generator that uses selected messages with an external rendering API, with the main risk being accidental use in chats if implicit invocation is left broad.

Install this only where users understand that selected message content, sender display information, formatting entities, and optional avatar URLs may be sent to the configured QuotLy rendering API. For private groups or regulated environments, restrict QUOTLY_API_ALLOW_HOSTS and require a clear user request before auto-sending generated media.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The default prompt and metadata describe broad triggering conditions such as generating stickers from forwarded or quoted messages, while implicit invocation is enabled. This can cause the skill to activate in contexts the user did not clearly intend, leading to processing of message content and identities from forwarded messages without sufficiently explicit user confirmation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal