S2-Digital-Avatar

Security checks across malware telemetry and agentic risk

Overview

This looks like a disclosed security-gatekeeper prototype, but it asks for email credentials and overstates real enforcement while relying on prompt-based LLM decisions.

Install only if you treat it as an experimental advisory tool, not a proven safety firewall. Use a dedicated SMTP app password, protect or remove the generated local config files, avoid putting secrets in action/context text, and verify the source/version mismatch before trusting it with sensitive workflows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill requires SMTP-based email alerting and implies sending audit logs externally, but it does not mention minimization, redaction, encryption, recipient validation, or the privacy risks of transmitting potentially sensitive agent context over email. Because this middleware handles sensitive-action interception, those logs may contain prompts, identities, local system details, or behavioral data that could be exposed through misconfiguration, mailbox compromise, or insecure SMTP transport.

Natural-Language Policy Violations

Low

Confidence: 93% confidence
Finding: The manifest description states that the skill 'Requires user SMTP configuration to go ONLINE,' which presents a mandatory operational/status requirement without any indication of user opt-in or configurability. In a security-sensitive middleware skill, this can pressure users into enabling external email infrastructure and an 'ONLINE' mode by default, increasing privacy and attack-surface concerns even if the issue is primarily policy/UX-related rather than a direct exploit.

Ssd 1

Medium

Confidence: 84% confidence
Finding: The skill instructs the model to assume an elevated 'legal proxy' authority and to make security decisions over other agents based on prompt-supplied rules and context. This is dangerous because prompt-based authority is not a real enforcement boundary: a compromised caller, manipulated avatar data, or prompt-injected context could cause incorrect approvals or denials while appearing authoritative.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal