Loopuman Human Tasks

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward paid human-task skill, but task text may be seen by external workers and can spend a funded Loopuman balance.

Install only if you are comfortable with your agent sending selected task text to external human workers. Use a dedicated low-balance API key, set your own confirmation and spending limits for paid tasks, and redact API keys, credentials, personal data, financial/health data, and confidential business information before submission.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This skill explicitly routes agent-provided task content to external human workers, but it does not warn users or downstream agents not to send sensitive, personal, credential, or confidential data. That omission is dangerous because the core function of the skill is human disclosure, so users may unknowingly expose secrets, regulated data, or proprietary information to third parties outside their trust boundary.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal