Back to skill

Security audit

Requirement Guide

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward requirements-questionnaire tool that only persists data when its save/load APIs are called with a chosen file path.

Before installing, treat saved sessions and generated documents as potentially sensitive business records. Save them only to intended locations, avoid shared directories for confidential projects, and delete old JSON files when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
79% confidence
Finding
`save_session` writes potentially sensitive requirement-gathering data to disk without any built-in consent, warning, or visibility mechanism. In a conversational requirements tool, sessions may contain business context, security requirements, timelines, and other confidential project details, so silent persistence can create unintended data retention and disclosure risk.

Missing User Warnings

Low
Confidence
82% confidence
Finding
`save_document` persists the generated requirements document to disk without any user-facing disclosure, even though the output may consolidate sensitive project information into a single artifact. This increases confidentiality risk because users may not realize a durable file containing internal requirements has been created and left on the filesystem.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.