Calculator

Security checks across malware telemetry and agentic risk

Overview

This is a real calculator skill, but its calculator input can execute arbitrary Python code, so it needs review before installation.

Review before installing. The skill appears to be intended as a calculator and has no visible network, credential, persistence, or destructive behavior, but it should be changed to use a strict math parser or AST allowlist before being used on untrusted expressions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

eval() call detected

High

Category: Dangerous Code Execution
Content: expr = re.sub(r'(\))(\()', r'\1*\2', expr) try: result = eval(expr, {"__builtins__": {}}, safe_dict) # Format result nicely if isinstance(result, float):
Confidence: 97% confidence
Finding: result = eval(expr, {"__builtins__": {}}, safe_dict)

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal