species_identification_sequence_blast_annotation_tool

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its BLAST annotation purpose, but a crafted OTU table can make one script write result files outside the chosen output folder.

Review this before installing if you will run OTU tables from other people. Use a dedicated output directory, avoid private sequence data unless NCBI submission is acceptable, and sanitize or inspect sample column names so they cannot contain ../, absolute paths, or other filename tricks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The quick-call phrases are broad and generic enough that they could cause the skill to be invoked unintentionally during normal conversation, especially when users mention BLAST annotation in a descriptive rather than imperative way. In an agent setting, ambiguous invocation increases the chance of unexpected tool guidance or downstream actions being triggered without sufficiently explicit user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal