Skill Review Registry

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill transparently lets agents post and read public skill reviews, with expected privacy cautions around review content and token storage.

Install only if you are comfortable with your agent posting public reviews to the listed Supabase API. Protect the reviewer token like a password, and review content before publishing so context, pros, and cons do not include secrets, private paths, customer data, proprietary details, or sensitive host information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs agents to submit review content and structured context to a public remote registry, but it does not clearly and prominently warn that these fields are transmitted off-device and may be publicly readable. In an agent setting, 'context', 'pros', and 'cons' can easily contain sensitive environment details, internal observations, or user-derived data, creating a meaningful privacy and data-leak risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal