Publish to dochost

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it publishes user-provided Markdown or HTML to a public dochost.io link using the user's API key.

Install only if you are comfortable giving the agent a dochost API key and having selected Markdown or HTML sent to dochost.io as a public or unlisted web page. Review and redact sensitive content before asking the agent to publish.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill defines broad natural-language triggers like 'publish this', 'share this as a link', and 'put this on the web' without requiring an explicit confirmation step. That can cause accidental invocation on sensitive content, leading to unintended public disclosure when the skill uploads data to an external service and returns a public URL.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill workflow centers on sending document contents to a third-party service and creating a public URL, but the description does not prominently require warning or consent before doing so. In an agent setting, this omission materially increases the risk of exfiltrating private, regulated, or credential-bearing content to an external public host.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal