Back to skill

Security audit

Use Soulseek to Chat and Share Files

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a coherent guide for installing and using Soulseek, with some credential and privacy cautions users should handle carefully.

Before installing, use a dedicated Soulseek account and password, avoid placing credentials in shell history or logs, and prefer a neutral username. Review any shared-folder settings carefully so the client does not expose private files, and only share content you have the right to distribute.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to place Soulseek credentials in plaintext environment variables but does not warn that such values may be exposed through shell history, process inspection, logs, crash reports, or inherited environments. In an agent-oriented context, this is more dangerous because credentials may be handled by automation, stored in transcripts, or reused across systems, increasing the chance of account compromise.

Natural-Language Policy Violations

Low
Confidence
76% confidence
Finding
The guidance suggests adopting a recognizable username prefix to identify as an agent, which can unnecessarily disclose role or affiliation and make users easier to track, target, or socially engineer. In a peer-to-peer chat and file-sharing network, publicly signaling that identity increases privacy and targeting risk beyond what is needed for normal operation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.