browser-file-upload

Security checks across malware telemetry and agentic risk

Overview

This skill is a user-directed helper for uploading a chosen local file to a chosen web page, with normal privacy caution needed.

Install only if you need browser-based file upload automation. Before use, confirm the destination website is trusted and that the exact selected file is intended for upload, especially when using home-directory, environment-variable, or workspace-relative paths.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly facilitates uploading local files to arbitrary external websites and includes concrete examples targeting public domains, but it provides no warning to verify the destination, confirm file sensitivity, or obtain user approval before exfiltrating local data. In an agent setting, this increases the risk of accidental disclosure of confidential workspace files, credentials, or personal documents to untrusted sites.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal