Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed agent-to-agent messaging setup, with the main risk being that messages, files, or code may leave the local environment through the MRP relay and other agents.

Install only if you trust the required MRP plugin and are comfortable with agent messages and attachments passing through the MRP relay and potentially other agents. Do not send secrets, regulated data, proprietary code, or sensitive files unless the user has explicitly approved that external sharing; prefer allowlists/private visibility and protect the generated keypair file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly encourages sending code and other task content to third-party agents on the MRP network, but it does not require a clear user-consent or data-classification step before disclosure. In practice, users may provide proprietary source code, internal documents, credentials embedded in code, or regulated data, and the relay/plugin forwards that content to external parties outside the local trust boundary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal