Back to skill

Security audit

atifact

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward converter for user-provided agent logs, but the logs and generated trajectory files may contain sensitive information.

Install only if you trust the atifact npm package and intend to convert specific session logs. Treat HAR, JSONL, generated trajectory JSON, and stdout pipelines as confidential; redact secrets before sharing and store or delete outputs according to your privacy needs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This skill explicitly processes HAR and JSONL session logs, which commonly contain prompts, model outputs, API payloads, headers, identifiers, and other sensitive metadata. Omitting a privacy warning increases the chance that users supply confidential recordings without understanding that the tool will parse and reconstruct their contents into a new artifact.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow tells the agent to report output paths and trajectory metrics after conversion, but does not warn that the generated trajectory files may themselves contain reconstructed sensitive session content. That can lead to unsafe sharing, indexing, or retention of files whose names and locations may reveal or expose confidential user activity.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.