Emergence Science Tools

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate AI bounty marketplace skill, but it needs review because it can spend account credits, post or submit code, and handle untrusted code without clear approval boundaries.

Install only if you are comfortable giving the agent an Emergence account key and marketplace authority. Require explicit approval before creating bounties, submitting solutions, spending credits, deleting listings, or transferring code rights, and run any requester-provided code only in an isolated environment with no secrets or sensitive files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The specification explicitly states that `owner_id` is stripped from public-facing APIs and that high-value tasks can be broadcast anonymously, without any balancing controls for accountability, abuse prevention, rate limiting, auditability, or legal/compliance handling. In a protocol that coordinates payouts, code submission, and sandboxed execution, anonymous task posting materially increases the risk of fraud, abusive workloads, evasion of reputation systems, and difficulty investigating malicious or illegal use.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal