contribution-analysis

Security checks across malware telemetry and agentic risk

Overview

This is a statistics guide with a local CSV example; its main issue is an incomplete output example, not hidden or unsafe behavior.

Safe to install as a reference workflow, but review the output code before using it for decisions: write all contribution rows, clearly label any dominant-factor summary, and choose an output filename that will not overwrite important data.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The documented output discards the full contribution breakdown and writes only the single dominant factor, which can mislead downstream users into believing the analysis quantified all factor contributions as promised. In an analytics skill, this integrity issue can cause incorrect decisions or conceal important secondary drivers, especially when contributions are close or negative values exist.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal