puzle-read

Security checks across malware telemetry and agentic risk

Overview

The skill matches its stated Puzle reading-library purpose, but its broad activation rules could send links, files, pasted text, or protected content to Puzle when the user did not clearly choose that.

Install only if you want your agent to use Puzle as a place to store and search articles, files, and extracted page content. Require explicit confirmation before uploading files, pasted text, private links, internal documents, or authenticated-browser content, and review Puzle's privacy and retention terms before using it with sensitive material.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger guidance is extremely broad, covering common requests like summaries, uploads, bookmarking, and generic mentions of reading or analysis. This can cause the skill to activate in situations where the user did not specifically intend to send content to a third-party service, leading to over-collection or external transmission of user data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal