UniFuncs Reader

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward UniFuncs web and document reader, but private URLs and any cookies you provide are sent to UniFuncs.

Install only if you trust UniFuncs with the URLs and documents you ask it to read. Do not use --set-cookie with live session cookies, internal URLs, or confidential documents unless you explicitly intend to share that access with UniFuncs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill description omits a critical privacy warning that provided URLs and optional cookies are sent to the UniFuncs Reader API service. Because cookies may carry session or authentication data, users could unknowingly transmit sensitive browsing targets or credentials to a third-party service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The --set-cookie option forwards a raw Cookie header value to a third-party remote API, which can include authenticated session tokens for other sites. This is dangerous because users may unknowingly disclose live credentials to UniFuncs, enabling account takeover or unauthorized access if those cookies are sensitive or reused.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal