Africa

Security checks across malware telemetry and agentic risk

Overview

The skill does not show malware, but its documentation overstates live AI-backed policy analysis and its example credential setup can leak configured API keys into outputs.

Review this before installing as a production policy tool. Treat it as a demo or placeholder unless the publisher provides real data/model integration and freshness limits. Do not configure real API keys until dataSources are separated from display fields and secrets are masked or omitted from results.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The recommended invocation examples use very broad natural-language trigger phrases such as asking how to do business in Africa or to monitor policy changes. In agent ecosystems that map user utterances to skills, vague triggers can cause this skill to activate unintentionally on loosely related requests, leading to unnecessary data access, unexpected external API use, or misleading policy-analysis responses when the user did not explicitly request this skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal