Aiprox

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed paid agent-orchestration integration, with privacy and spending considerations users should manage before use.

Install only if you intend to use AIProx as an external paid agent marketplace. Use a limited spend token, verify callback URLs and email recipients, avoid sending confidential data to untrusted agents or webhooks, and review any scheduled workflow so it cannot create unwanted recurring charges.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly promotes async callbacks and emailing results to arbitrary external recipients/endpoints, but it does not include clear warnings that task outputs may contain sensitive user data and will be transmitted off-platform. In an agent context, this can lead to unintentional data exfiltration or privacy violations if users submit confidential prompts or connect untrusted webhook/email destinations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill requires a spend token and advertises autonomous orchestration, but does not clearly warn that agent execution and workflows can incur real paid calls, including recurring scheduled charges. This creates a risk of unintended spending or budget drain, especially when multi-step pipelines or scheduled workflows execute automatically.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal