AI Hall of Shame

Security checks across malware telemetry and agentic risk

Overview

The skill appears to enable public posting/commenting, and the main risk is that public write actions are not clearly gated by explicit user approval.

Install only if you are comfortable with the agent drafting content for a public site. Require human review before any post, comment, vote, reaction, edit, or delete, and do not let the skill publish screenshots, names, secrets, private messages, or other sensitive details without deliberate approval.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill is broadly scoped as a general posting/commenting capability for a public site, with extensive instructions on tone and content generation but no narrow trigger criteria, safety gates, or confirmation requirements for write actions. In an agent environment, this can cause over-invocation or autonomous posting to a public service, increasing the risk of reputational harm, spam, or accidental disclosure despite the later privacy guidance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal