Usage Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill is a locally run usage-dashboard monitor whose main risks are local exposure of dashboard URLs and usage logs, not hidden or destructive behavior.

Before installing, use a stable dashboard URL without tokens, session IDs, one-time login parameters, API keys, or sensitive query strings. Keep config.json and usage-log.md out of public repos, screenshots, shared folders, and broad backups because they may reveal account-specific URLs and usage patterns.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The installation guide explicitly instructs users to copy the full browser URL for a usage/quota dashboard into config.json, but gives no warning that such URLs may contain account identifiers, session-bound query parameters, or other sensitive data. Storing full account-specific URLs in plaintext config files increases the risk of credential leakage, accidental sharing, or exposure through backups, screenshots, logs, and version control.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal