Nutrition Provider R2

Security checks across malware telemetry and agentic risk

Overview

This skill clearly performs its stated job: upload fetched public nutrition-provider records to a user-configured Cloudflare R2 bucket.

Install only if you want an agent to write fetched nutrition-provider data into Cloudflare R2. Use a dedicated bucket or prefix, narrowly scoped R2 credentials, review the separate scrapling-official dependency before running, and start with skip-existing plus conservative pagination until the storage layout is verified.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill repeatedly instructs sending raw fetched records and optional debug/failure artifacts to Cloudflare R2, but it does not require an explicit user acknowledgment that externally fetched data will be transmitted to third-party storage. This creates a real data-handling risk because raw payloads may contain unexpected sensitive fields, copyrighted data, or debugging material that users did not realize would leave the local environment.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal