browser-file-uploa

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it helps upload user-specified local files to user-specified web pages, but users should be careful because uploads disclose those files to the destination site.

Use this only when you intentionally want to upload a specific file to a trusted website. Before running it, verify the destination domain, selector, and full resolved file path, and avoid uploading secrets, credentials, private documents, or unrelated workspace files unless that site is meant to receive them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This skill instructs the agent to upload local files to arbitrary external web pages but does not warn that doing so can exfiltrate file contents, metadata, and sensitive filenames to third parties. The risk is amplified by examples that encourage absolute paths, workspace-relative files, and uploads to public sites, making accidental disclosure of local or workspace data more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal