Security audit

web info skill

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward webpage-info tool, but it can fetch any HTTP(S) target from the agent environment while claiming public-only and robots.txt protections it does not implement.

Install only if you are comfortable with the agent making outbound web requests from its own environment. Use it only with URLs you intend to fetch, and do not rely on the documented public-only or robots.txt protections unless the skill is updated to enforce them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The script performs a server-side HTTP request to any user-supplied http/https URL with curl and provides no warning, validation, or restriction. In an agent or hosted environment, this can enable SSRF-style access to internal services, cloud metadata endpoints, or other network resources reachable from the runtime but not from the end user.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal