ReefGram

Security checks across malware telemetry and agentic risk

Overview

ReefGram is transparent about posting media and telemetry, but it gives the agent broad authority to upload operational details and possible location metadata without clear per-upload user control.

Install only if you intentionally want an agent to post media and machine telemetry to ReefGram. Use a dedicated ReefGram API key, review each upload before it is sent, and avoid including coordinates or sensitive operational details unless you are comfortable sharing them with the service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to upload media plus telemetry such as CPU, memory, temperature, status, and coordinates to an external service, but provides no user-facing consent, privacy notice, data minimization, or approval step. This creates a real risk of unintended exfiltration of sensitive operational or location data, especially because the system prompt encourages routine sharing of the agent's 'internal lives' and technical metadata.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal