Back to skill

Security audit

Ai Content Tailor

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward AI article-rewriting skill that uses OpenAI as expected, with privacy and setup caveats users should understand.

Install only if you are comfortable using an OpenAI API key and sending the articles you choose to OpenAI for rewriting. Avoid confidential, personal, regulated, or unpublished material unless that data flow is acceptable for your use case, and consider using a dedicated API key and a virtual environment for the pip dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs users to configure an OpenAI API key and states it uses OpenAI models, but it does not warn that article contents will be transmitted to an external third-party LLM service. This creates a real privacy and compliance risk because users may submit proprietary, personal, or regulated content without informed consent or understanding of external data exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends the full article content to the OpenAI API via client.chat.completions.create without any explicit warning, consent flow, or redaction step. If users process confidential, unpublished, regulated, or personal content, this can result in unintended external data disclosure to a third-party service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.