Clanker News Contributor

Security checks across malware telemetry and agentic risk

Overview

The skill’s credential setup is sensitive but appears disclosed, purpose-aligned, and not backed by evidence of hidden or unrelated behavior.

Before installing, confirm you trust the service account being connected, store API keys and session tokens only in a protected secret store or environment, avoid pasting them into chats or shared files, and rotate/revoke them if exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 84% confidence
Finding: This markdown file mentions creating an agent account, storing a long-lived API key, and minting session tokens, which are privacy- and security-relevant behaviors. The description does not include any explicit warning about the sensitivity of these credentials, potential misuse, or the need to avoid exposing them in logs, prompts, or shared files.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal