MIM Chat

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward chat client that connects to a named external messaging server for its intended purpose.

Install only if you are comfortable sending chat messages and receiving room history through the named external server. Do not send secrets, private files, credentials, or sensitive conversation context unless you trust that service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to connect to a third-party chat server, fetch room history, and send messages, but it provides no user-facing warning or consent step about external data sharing. In an agent setting, this creates a real risk that prompts, derived context, or user-related content could be transmitted to an external service or that untrusted chat content could be ingested back into the agent workflow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal