test转储

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed RPA data-transfer helper, but it encourages automated imports into another system on a schedule without enough safeguards.

Review before installing or operationalizing. Use a test environment first, verify source and target URLs, confirm how duplicate imports are prevented, use least-privilege credentials, require logs or audit records, and do not enable the cron job until rollback and idempotency behavior are clear.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly documents unattended export from one system and automated import into another, including a cron example, but does not warn that it modifies external systems or recommend confirmation, scoping, and operational safeguards. In an RPA/data-transfer context, this increases the risk of unintended writes, bulk bad data propagation, and silent scheduled actions against production systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal