Currency Convert

Security checks across malware telemetry and agentic risk

Overview

This currency conversion skill is purpose-aligned and disclosed, with minor concerns around broad triggers and a likely script-path mistake.

Install only if you are comfortable enabling exec and sending your Open Exchange Rates App ID plus requested currency pairs to that provider. Consider narrowing or manually confirming ambiguous requests because the trigger phrases may fire on non-currency questions, and check the script path before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are broad and overlap with common conversation such as 'how much is' and 'what is the rate,' which can cause the skill to activate unintentionally in unrelated contexts. Because the skill then instructs the agent to execute a local script, accidental invocation expands the attack surface and could lead to unnecessary code execution or external API calls.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal