Nda

Security checks across malware telemetry and agentic risk

Overview

This NDA-generation skill is transparent about its remote rendering and local CLI paths, with consent and safety guidance for sensitive document data.

Before installing, decide whether the NDA contents are too sensitive for hosted rendering. Use Remote MCP only after accepting that NDA fields will be sent to openagreements.ai; for sensitive documents, prefer the pinned local CLI path and ensure the agent follows the documented filename, temp-file, and cleanup rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The workflow instructs the agent to send collected agreement field values to a remote MCP service for DOCX generation, but it does not require an explicit user warning or consent before transmitting potentially sensitive NDA details off-host. Because this skill is specifically for NDAs and confidentiality agreements, the transmitted data may include party identities, addresses, deal context, and confidential-purpose descriptions, making silent remote transfer a real privacy and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal