Ai Connect

Security checks across malware telemetry and agentic risk

Overview

This skill is a web-access helper, but it asks users to export browser cookies for logged-in platforms without adequate safety boundaries.

Review before installing. Use it only if you are comfortable with an agent accessing external sites and potentially logged-in accounts. Do not paste or store browser cookies casually; treat them like passwords, prefer OAuth or scoped tokens where available, and use a dedicated low-privilege account if you proceed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases are very broad and include common everyday terms like '联网', '看视频', and '读帖子', which can cause the skill to activate in unrelated conversations. In an agent environment, overly broad activation increases the chance of unintended network access or tool invocation without clear user intent, expanding the attack surface and creating privacy and safety risks.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill instructs users to export browser cookies and provide them to the agent, but does not include strong warnings that cookies are sensitive authentication secrets equivalent to session credentials. If mishandled, logged, retained, or exposed to other tools, these cookies could enable account takeover, unauthorized access, or cross-platform abuse.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal