Back to skill

Security audit

Skills.sh Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward skill-search CLI that queries the skills.sh registry and optionally shows install commands for discovered skills.

Safe to use for searching skills. Before running any displayed install command, review the target skill, publisher, source repository, and install scope because those follow-on installs may add new agent behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
84% confidence
Finding
This code performs an HTTPS request to skills.sh to retrieve data, which transmits the user's query context and system network metadata to an external service. Although the CLI prints that it is showing/searching skills, it does not explicitly warn in code comments, help text, or other user-facing text that it contacts a remote API.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.