Security audit

Phishing Reporter

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward phishing-reporting helper, but users should confirm exactly what will be submitted to outside reporting services.

Install this only if you want help submitting suspected malicious URLs to external abuse-reporting services. Before using it, verify the site is actually harmful, confirm each destination service, and avoid including unnecessary personal, internal, or contact details in report descriptions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad enough that ordinary conversation about reporting a URL could invoke the skill unintentionally. In this skill’s context, accidental activation is more dangerous because it can cause browser automation and submission of URLs/descriptions to external abuse-reporting services without a clearly scoped intent check.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill automates submission of user-supplied URLs and descriptive text to third-party services, but it does not clearly warn users that this data will leave the platform. That creates a meaningful privacy and trust risk, especially if the URL, accompanying description, or contact details contain sensitive investigative, internal, or personal information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal