Security audit

add.tools

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only tool-search helper that sends searches and optional feedback to add.tools, with no local code, persistence, or privilege use evident.

Install only if you are comfortable sending search terms and optional feedback to add.tools. Do not include secrets, private project names, credentials, or confidential prompts in searches or feedback, and review any returned tool or paid endpoint before allowing an agent to use it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The feedback example encourages sending user queries, chosen tools, and success outcomes to a remote service without any warning about privacy, consent, or data minimization. In an agent setting, this can lead to inadvertent exfiltration of sensitive prompts, internal tool selections, or user behavior metadata to a third party.

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # JSON response for agents curl -H "Accept: application/json" "https://add.tools/search?q=send+email" # With explicit format param curl "https://add.tools/search?q=weather+forecast&format=json"
Confidence: 85% confidence
Finding: curl -H "Accept: application/json" "https://add.tools/search?q=send+email" # With explicit format param curl "https://add.tools/search?q=weather+forecast&format=json" ``` ### Report feedback ```bas

VirusTotal

43/43 vendors flagged this skill as clean.

View on VirusTotal