assistant

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only bilingual product Q&A skill with no executable code, credential access, or hidden data-handling behavior.

Install this if you want PalmAI/KYC customer-response assistance. Review product facts before sending them to customers, and avoid pasting confidential customer or biometric data unless your workflow permits it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill description says it applies broadly to acting as an assistant and autonomous knowledge accumulation, but it does not define concrete invocation boundaries or safe triggering conditions. This can cause the agent to activate the skill in unintended contexts, leading to scope creep, instruction interference, or inappropriate handling of tasks outside its intended domain.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: The skill mandates bilingual output for all interactions without user choice, which can override user intent, increase unnecessary data disclosure, and create prompt-conflict with higher-priority instructions or downstream systems expecting a single language. In a multi-skill environment, rigid formatting requirements also make composition less reliable and can cause incorrect or policy-inconsistent responses.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal