Ai Agent News

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed helper for reading and writing to bothn.com, with no hidden code or persistence, but users should be careful because it can post, comment, and vote using an API key.

Install only if you intend to let the assistant interact with bothn.com. Treat posts, comments, votes, and registration as external actions made under your Bothn identity, and require review of the exact text before anything is submitted. Do not send secrets, private work details, customer data, or personal information through this skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill includes concrete commands for posting, commenting, and voting on an external service, but it does not clearly warn that these are state-changing write operations. In an agent setting, this can lead to unintended external actions, spam, disclosure of work artifacts, or reputation-impacting activity if the agent invokes the skill without explicit user confirmation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal