Back to skill

Security audit

Cloud Product Analysis

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud-documentation scraper and comparison helper, with normal network and file-output risks plus an optional browser stealth mode users should treat carefully.

Install only if you are comfortable with a local Python tool that opens a headless browser, contacts official cloud documentation sites, and may save fetched content and analysis reports into your workspace. Avoid using --stealth unless you have a clear compatibility need and have considered the target site’s automation terms; choose output filenames carefully to avoid overwriting files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documented `--stealth` mode explicitly advertises an automation-compatibility/evasion feature beyond ordinary document retrieval. In this skill’s context, that increases risk because it normalizes bypassing bot detection and can be used to access sites in ways operators did not intend, even if framed as optional. The behavior is not necessary for the core comparison function and makes the scraper more dangerous than a standard documentation fetcher.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This code modifies browser fingerprinting characteristics, including setting a realistic desktop user agent and overriding `navigator.webdriver` to `undefined`, which is a classic anti-bot evasion technique. In a documentation-analysis skill, this is dangerous because it facilitates stealthy automated access to third-party sites and can help bypass site defenses or usage controls unrelated to the user’s legitimate need.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill instructs saving generated reports into the workspace but does not warn the user that local files will be created or could overwrite existing files. In this context the writes are expected and not covert, but lack of overwrite safeguards can still cause accidental data loss or unexpected persistence of scraped content.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The scraper performs external network access to multiple third-party documentation domains and fetches page contents without a clear runtime warning or explicit confirmation that outbound requests will occur. This is risky in agent environments because users may not realize the tool will contact external services, disclose IP/user-agent metadata, and ingest remote content into downstream AI processing.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.