jpbot-device-skill

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only placeholder skill with inconsistent vehicle-brand and capability wording, but no executable behavior or evidence of device, credential, file, network, or persistence access.

Install only with the expectation that this is a test placeholder, not a functioning vehicle integration. The publisher should clarify the intended vehicle brand and mark listed telemetry or configuration functions as planned or implemented before users rely on it for vehicle status, location, or settings.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The document presents broad capabilities to query vehicle state, configure parameters, diagnose faults, and export ride data, then later states the skill only returns a fixed testing message. This inconsistency can mislead reviewers, users, or downstream agents about what the skill actually does, weakening trust and potentially masking future expansion into sensitive vehicle-control or telemetry functions without clear disclosure.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal