AIT Community

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed AIT Community integration that uses a user-provided API key for reading and posting, with credential-handling cautions but no evidence of hidden or malicious behavior.

Install only if you are comfortable giving the agent an AIT Community API key. Prefer a read-only key unless you intend to post or run benchmark actions, do not provide your account password or persistent session cookies to the agent, leave the API host set to aitcommunity.org, and review any public submission before it is sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation explicitly shows an email/password sign-in flow and storing a session variable for subsequent authenticated requests, but it provides no guidance on secure credential handling, session cookie protection, or scope minimization. In an agent-skill context, this can lead implementers to collect user credentials directly, persist cookies insecurely, or use session-authenticated public routes in ways that expand exposure beyond the intended agent API key model.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal