Servicenow Docs

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent ServiceNow documentation helper, but one article-fetch tool can request arbitrary URLs instead of only ServiceNow documentation URLs.

Install only if you are comfortable with a documentation skill that can be directed to fetch non-ServiceNow URLs through servicenow_get_article. Prefer a version that restricts article fetching to expected ServiceNow documentation domains and HTTPS URLs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The article-fetch tool accepts an arbitrary user-supplied URL and passes it directly to fetch() without validating the host, scheme, or path. In an agent/tooling context, this creates a server-side request forgery style primitive that can be used to make requests to unintended destinations, including internal services or metadata endpoints, depending on network egress controls.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal