Token Report

Security checks across malware telemetry and agentic risk

Overview

This skill openly creates a token-usage report screenshot and sends it to a specific Feishu chat, which matches its stated purpose.

Before installing or using it, confirm that the Feishu chat ID is the intended group and that token/context usage data may be shared there. Ask for a preview or confirmation step if accidental posting would matter.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill instructs the agent to take a screenshot and send it to a hard-coded Feishu chat without any user-facing consent, review step, or data-classification check. Because the screenshot may contain operational metrics or other sensitive content rendered in Canvas, this creates a real exfiltration path to an external messaging destination.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal