Flux Board

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Flux integration that clearly describes using a Flux API key to manage boards and cards.

Install only with a Flux API key scoped to the actions you want the agent to perform. Be aware that natural-language requests can create, update, move, or soft-delete Flux data and can initiate attachment upload flows to the configured Flux/S3-backed service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill enables state-changing operations such as creating, moving, updating, and deleting boards/cards, and it also supports attachment upload flows via presigned URLs, but it does not prominently warn users that actions can modify external project data or send file metadata/content to third-party storage. This increases the risk of unintended destructive changes or unintentional external data transmission, especially when an agent uses the skill autonomously from natural-language prompts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal