Back to skill

Security audit

S2 SSSU Spatial Genesis Engine

Security checks across malware telemetry and agentic risk

Overview

This skill is a local spatial-address validator and registry that stores the addresses and entity IDs users give it in a disclosed SQLite database.

Install only if you are comfortable with a local SQLite database being created and retaining the spatial addresses and entity IDs you provide. Delete s2_spatial_genesis.db to reset the registry and timeline state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Low
Confidence
84% confidence
Finding
The README explicitly states that the plugin creates a local SQLite database and logs entity events in a timeline, but it does not warn users about local data persistence, what data is stored, or retention/privacy implications. In an agent/plugin context, silent local logging can create unexpected privacy and forensic risks, especially if users assume the skill is stateless or if other local processes can access the database file.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The description advertises broad capabilities like creating a local database and using active code execution tools, but it does not define clear invocation boundaries, authorization requirements, or safety constraints. In an agent skill, vague, high-power language increases the chance the skill is invoked in unintended contexts or with insufficient user confirmation, which can lead to unwanted local state changes or execution of risky operations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.