Queenshow Detail Page Generator

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate Queenshow detail-page integration, but it handles production content uploads and API keys in ways users should review carefully.

Install only if you are comfortable sending selected product media and detail-page content to Queenshow. Prefer environment variables, stdin, or a secret file over command-line API keys, and use a least-privilege API key that can be rotated if exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs agents to upload local images/videos and send product content to an external API using an API key, but it does not prominently warn about privacy, confidentiality, or data transfer consequences. In practice, this can lead to unintended disclosure of sensitive media, proprietary product information, or credentials-associated actions on a third-party platform.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Accepting the API key via a command-line argument can expose credentials through shell history, process listings, job control tools, CI logs, and audit telemetry on multi-user systems. In this skill, the key authorizes creation, update, upload, and usage-query operations against a production content API, so leakage could enable unauthorized access and modification of detail pages and associated materials.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal