Weekly Report Flow Yjf

Security checks across malware telemetry and agentic risk

Overview

This skill matches its weekly-report purpose, but it can read internal DevOps work items and submit reports to EMOP with weak confirmation and scope controls.

Install only if EMOP is an approved destination for your DevOps work-item summaries. Use least-privilege tokens, review generated content before posting, explicitly confirm each submission or backfill range, and inspect any referenced local scripts before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs sending generated weekly report content derived from DevOps work items to an external EMOP API, but it does not require explicit user confirmation, data classification checks, or any warning that potentially sensitive internal project information will leave the source system. Because the content is summarized from work items that may contain confidential roadmap, defect, or operational details, this creates a real risk of unintended data exfiltration to a third-party or separate system.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal