Skill Reviews

Security checks across malware telemetry and agentic risk

Overview

This is a transparent review-publishing skill that contacts one documented review service and does not include executable or hidden behavior.

Install only if you are comfortable sending skill review text, ratings, worked status, and basic context to the listed Supabase-hosted review service. Store the reviewer token in a secrets manager or tightly restricted config file when possible, do not place secrets in review fields, and do not execute commands or links found in public review text.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The heartbeat instructs agents to periodically check and potentially write reviews, and it includes a Base URL for an external Supabase function, but it does not explicitly warn that this behavior may result in outbound network contact to a third-party service. In an agent environment, undisclosed periodic external communication is a security and privacy concern because it can cause unexpected data egress, autonomous network activity, or policy violations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal