Swipe File Generator

Security checks across malware telemetry and agentic risk

Overview

This skill fetches user-specified web content and writes a local swipe file, which matches its stated purpose and shows no evidence of hidden or harmful behavior.

Install this if you are comfortable with the skill fetching URLs you provide, including possible Twitter/X requests through FxTwitter, and creating or updating files under swipe-file/. Review existing swipe-file content first if you need to preserve manual edits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly instructs the agent to create and modify workspace files (`swipe-file/swipe-file.md` and `.digested-urls.json`) but provides no warning, confirmation step, or safeguards against overwriting existing user data. In an agent context, silent file writes can unexpectedly alter project state, destroy prior content ordering, or append untrusted fetched content into local documents.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs the agent to fetch arbitrary external URLs and to send Twitter/X-derived requests to the third-party FxTwitter API, yet the skill metadata does not disclose this network behavior or the privacy implications. This can expose user-supplied URLs, browsing targets, and potentially sensitive query strings or identifiers to external services without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal