skill-0331-02

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward wrapper for a summarization CLI, with the main caution that submitted content may be processed by external AI and extraction services.

Install this only if you are comfortable sending selected files, URLs, or YouTube-derived content to the model or extraction provider you configure. Do not use it on secrets, confidential documents, regulated data, or private URLs unless your organization has approved those services; disable optional fallbacks when you do not want Firecrawl or Apify involved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly supports summarizing URLs, local files, and YouTube content using external model providers and optional third-party services, but it does not warn users that submitted content may be transmitted off-host. This can lead to unintentional disclosure of sensitive local documents, private URLs, or media content to external APIs, especially because the examples encourage direct use on arbitrary files and links.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal