Back to skill

Security audit

Millimetric Track

Security checks across malware telemetry and agentic risk

Overview

This skill transparently helps an agent send or delete Millimetric analytics data using a user-provided server API key.

Install only if you want an agent to send Millimetric analytics events. Keep MILLIMETRIC_KEY secret, verify MILLIMETRIC_HOST before use, avoid unnecessary personal data in traits or properties, and require explicit confirmation before batch imports or GDPR forget/delete requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill explicitly supports sending analytics events, linking anonymous IDs to user IDs, bulk uploads, and GDPR erasure requests, but it does not instruct the agent to obtain user confirmation or warn about privacy and irreversible data-impact implications before acting. In an agent context, this can lead to unauthorized transmission of personal data or unintended deletion requests to an external service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.