Testcase Reviews

Security checks across malware telemetry and agentic risk

Overview

The skill shows only disclosed local report output, with no evidence of hidden malware, exfiltration, or destructive behavior.

Before installing, confirm where the generated report will be written and avoid including secrets or private data unless you intend that information to remain on disk. The available signals do not show malware or hidden behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs the agent to write a Markdown report into a sibling `report/` directory, but it does not require prior user consent, confirmation of the destination, or any warning that filesystem writes will occur. In an agent environment with file access, this can cause unintended local state changes, overwrite/create artifacts, or leak sensitive requirement/test-case content into persistent storage without the user's awareness.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal