Content Draft Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent content-drafting workflow, but users should notice that it fetches provided URLs and may use FxTwitter despite one misleading security note.

Install only if you are comfortable with the agent fetching the URLs you provide. Use public reference links, avoid private, internal, signed, or tokenized URLs, and review or delete the generated local markdown files if they contain confidential strategy, positioning, or draft content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The skill's security note is misleading because it claims no external services are required, yet the workflow explicitly fetches remote URLs and rewrites X/Twitter links to a third-party FxTwitter endpoint. Misstating network behavior can cause users or downstream agents to disclose URLs and content under false assumptions, weakening informed consent and review.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to fetch arbitrary user-supplied URLs but does not warn that those URLs may be transmitted to external systems or that fetching them may reveal sensitive browsing targets. This creates a privacy and trust risk, especially if users provide private, internal, or tokenized links believing the operation is local-only.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal