catime

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: installs a cat-image CLI, fetches public GitHub-hosted cat images, and sends them to the user.

Install only if you are comfortable adding the external Python package catime. Use an isolated Python environment if possible, and invoke the skill when you explicitly want the agent to fetch and send cat images.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill description uses very broad activation language such as requests for a cat picture or browsing the gallery, which can cause over-triggering in normal conversation without clear user intent to invoke this external capability. Over-broad triggers increase the chance an agent fetches external content or sends media when the user only meant casual discussion, creating unnecessary tool use and possible privacy or UX issues.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The workflow trigger table maps vague phrases like 'Show me a cat' or 'Send me a cat' directly to command execution without scope constraints, confirmation rules, or disambiguation. In agent environments, this can lead to unintended external actions, media sending, or network access based on underspecified user requests.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal