Back to skill

Security audit

Qubitclient Vqa Review

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent VLM-based helper for reviewing quantum experiment plots, with no hidden execution or persistence in the submitted artifact.

Before installing, treat uploaded experiment plots as data sent to the configured LLM provider. Use an approved or self-hosted endpoint for confidential lab, proprietary, export-controlled, or unpublished results, and avoid passing sensitive plots unless the provider's retention and compliance terms are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This skill sends image inputs and prompt content to an LLM backend configured via OPENAI_BASE_URL and API credentials, but the documentation does not clearly disclose that experiment plots and related metadata may leave the local environment and be transmitted to an external service. In a research or lab setting, those images can encode sensitive experimental results, proprietary device behavior, or restricted data, so the omission creates a real confidentiality and compliance risk even if the underlying API use is expected functionality.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.