Back to skill

Security audit

Safe IA — Monitor de riesgos de herramientas IA

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent AI compliance monitor, but it stores and reuses personal and business profile details across conversations without clear retention, opt-out, or deletion controls.

Install only if you are comfortable with the agent remembering your business profile and AI-tool usage across conversations. Avoid sharing sensitive customer, legal, health, financial, or regulated-data details unless the publisher clarifies how memory can be viewed, edited, deleted, and disabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to store personally identifying and business-profile data in memory across conversations, but it does not provide a clear privacy notice covering retention, reuse, scope, or consent. This creates a real privacy risk because users may disclose personal and business-sensitive information without understanding that it will be persisted and later reused.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This section directs ongoing storage and proactive reuse of user data between conversations, including personalized alerts based on prior activity, without clearly warning the user that tracking continues over time. That is dangerous because it enables behavioral profiling and unexpected reuse of prior disclosures, especially in a compliance-oriented skill where users may share sensitive operational details.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill instructs collection and persistent reuse of multiple profile attributes, including jurisdiction, types of data processed, tool usage, and consultation history, without clear minimization or necessity boundaries. In context, this is more dangerous because the skill targets compliance and risk monitoring, so users are likely to share sensitive business and regulatory context that could be misused or over-retained.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.