Nirvana Skill

Security checks across malware telemetry and agentic risk

Overview

This privacy skill is not clearly malicious, but it makes strong privacy promises while enabling cloud fallback, local audit logs, caching, and mismatched install details that users should review carefully.

Review before installing. Confirm the exact package and publisher, disable cloud fallback for highly sensitive work unless explicitly needed, and verify where audit logs and cached responses are stored, how they are deleted, and whether verbose prompt logging can be turned off.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly promotes audit logging of boundary crossings and shows examples that include user questions, sanitized queries, and what was cached. Even if SOUL/USER/MEMORY are stripped before cloud calls, these logs can still retain sensitive prompts, inferred personal details, proprietary tasks, or regulated data locally, creating a new privacy exposure channel that is not clearly warned about or minimized.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal