Websocket Engineer

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only WebSocket development guide; its sample code needs normal production review, but the skill itself does not execute code or request sensitive access.

Safe to install as an instruction-only development aid. Before using generated or copied code in production, review CORS settings, authentication, authorization, rate limiting, logging, and secret handling, especially for real-time streams that may carry private data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The SSE example explicitly sets `Access-Control-Allow-Origin: *`, allowing any website to open the event stream and read server-sent data. In a real-time communication skill, developers may copy this sample into production, which can expose notifications, presence data, or other streamed content cross-origin without proper access control or origin restrictions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal