testskill-0410repo123

Security checks across malware telemetry and agentic risk

Overview

This is a user-directed summarization skill, with external provider privacy considerations but no evidence of hidden or destructive behavior.

Install only if you trust the Homebrew-installed summarize CLI and the model or extraction providers you configure. Do not summarize secrets, regulated data, private documents, internal URLs, or sensitive media unless sending that material to the selected provider and any enabled fallback service is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs users to summarize URLs and local files using external AI providers but does not clearly warn that the provided content may be transmitted to third-party model APIs for processing. This creates a real data-handling and privacy risk because users may submit sensitive documents or URLs under the assumption processing is local or without understanding the external disclosure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documents optional fallback services such as Firecrawl and Apify without clearly warning that enabling these features may send URL contents, metadata, or extracted material to additional third-party services. This is dangerous because fallback behavior can expand data exposure beyond the primary model provider, increasing the chance of unintended sharing of sensitive or proprietary information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal