KYC Vault

Security checks across malware telemetry and agentic risk

Overview

This skill handles sensitive identity documents, but its artifacts clearly describe that purpose and require user confirmation before reading, uploading, or submitting anything.

Install only if you are comfortable letting an agent assist with KYC submissions. Review and edit every manifest field, especially the pre-filled nationality and residence values, inspect the downloaded template before entering real data, keep ~/identity-vault/ private, verify the domain every time, and approve each document and final submission deliberately.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The template pre-populates nationality and country of residence as specific values ('Chinese' and 'China') instead of requiring the user to supply or confirm them. In a KYC skill handling identity documents, this can cause inaccurate identity submissions, misrepresentation to third-party services, or accidental disclosure/processing of sensitive personal data under false assumptions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal