Kiri Engine

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward KIRI Engine integration that uploads user-selected media for 3D reconstruction, with some privacy caveats users should understand.

Install only if you are comfortable sending the selected photos or videos, associated filenames, and generated task data to KIRI Engine for processing. Avoid private, proprietary, or location-sensitive media unless you accept the third-party processing and temporary retention described by the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill clearly instructs the user to provide local video files or image folders and then upload them to KIRI Engine's external API, but it does not explicitly warn that potentially sensitive local media will leave the device and be transmitted to a third-party service. This creates a real transparency and privacy issue because users may not realize personal, proprietary, or location-revealing media is being sent off-device and retained server-side for days.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal