Back to skill

Security audit

数据管道工具箱

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only ETL skill with expected data-pipeline examples, but users should handle credentials and outbound data carefully.

Before installing or following the examples, confirm the package/source and any referenced pipeline tool are the ones you intend to use. Use test data first, keep credentials in protected environment variables or a secret manager, grant least-privilege access, review whether data may contain PII or confidential business records, and only schedule jobs or send webhook alerts to trusted destinations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly promotes extracting data from APIs, databases, files, and queues, then loading it into external destinations, but it provides no warning about handling sensitive data, access scope, or outbound transfer risks. In an ETL context, this can normalize moving production or personal data to third-party systems or webhooks without user awareness, increasing the chance of accidental data exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples show use of connection strings and webhook/API endpoints, including environment-backed database URLs and external callback URLs, without any precautions for secret handling or outbound transmission. This is dangerous because users may paste real credentials into commands, logs, shell history, or configs and may send operational or business data to external services without validating trust boundaries.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.