Back to skill

Security audit

Pilot Event Bus

Security checks across malware telemetry and agentic risk

Overview

This appears to be a purpose-aligned event publish/subscribe skill, but users should avoid sending sensitive data through broad topics or wildcard subscriptions.

Install only if you understand and trust the event network this skill will use. Treat every published event as visible to subscribed trusted agents on that topic, avoid secrets and credentials in payloads, prefer narrow topics over wildcards, and review any forwarding rules before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly documents network-wide publish/subscribe behavior, including wildcard subscriptions and fleet coordination, but does not warn users that events may contain sensitive operational data and will be shared with all trusted participants on the topic. In a multi-agent environment, this can lead to unintended disclosure of task metadata, hostnames, timing information, or other payload contents, especially because broad topics like '*' and 'tasks.*' encourage wide fan-out.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.