Back to skill

Security audit

Tmpfiles Upload

Security checks across malware telemetry and agentic risk

Overview

This is a small instruction-only skill for creating temporary public tmpfiles.org links, with the main risk being accidental sharing of sensitive files.

Install only if you want an agent to create public temporary tmpfiles.org links. Before each use, confirm the exact file path and recipient, and do not use it for sensitive, confidential, or permanent storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to upload arbitrary files to a public third-party temporary hosting service, but the warning about public accessibility appears later in a generic notes section rather than adjacent to the upload steps. This creates a real risk that agents or users will transmit screenshots, documents, or other potentially sensitive material off-platform without informed consent, especially because the skill is framed as a fallback for failed direct uploads in messaging workflows.

External Transmission

Medium
Category
Data Exfiltration
Content
def upload_to_tmpfiles(file_path):
    """Upload file to tmpfiles.org and return download URL"""
    with open(file_path, 'rb') as f:
        r = requests.post('https://tmpfiles.org/api/v1/upload', files={'file': f})
        data = r.json()
        if data.get('status') == 'success':
            # Replace org/ with org/dl/ for direct download
Confidence
97% confidence
Finding
requests.post('https://

External Transmission

Medium
Category
Data Exfiltration
Content
python3 -c "
import requests
with open('/path/to/file.png', 'rb') as f:
    r = requests.post('https://tmpfiles.org/api/v1/upload', files={'file': f})
    d = r.json()
    if d.get('status') == 'success':
        print(d['data']['url'].replace('org/', 'org/dl/'))
Confidence
97% confidence
Finding
requests.post('https://

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.