ProductClank — Community-Powered Growth

Security checks across malware telemetry and agentic risk

Overview

This is a real ProductClank marketing skill, but it can spend credits, manage campaigns, and generate public promotional replies using examples that encourage misleading endorsements.

Install only if you intentionally want an agent to operate ProductClank campaigns. Use a dedicated limited API key, require explicit approval before any credit spend, post generation, deletion, delegation, or recurring run, and rewrite campaign prompts so public replies are truthful and disclose sponsorship, incentives, or agent-generated participation when applicable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (17)

Context-Inappropriate Capability

Low

Confidence: 80% confidence
Finding: An unauthenticated `GET /agents/by-user` endpoint enables agent enumeration for any supplied user ID, which is broader account-discovery functionality than needed for a social campaign skill. If user IDs are guessable, leaked, or obtainable elsewhere, this can support profiling, correlation of user-agent relationships, and targeted abuse against linked accounts.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The examples materially expand the advertised scope from simple Boost/Discover social engagement into generic campaign management, delegation, and billing-related operations. Scope expansion is dangerous because integrators may grant broader permissions or invoke workflows they would not expect from the manifest, increasing the chance of unauthorized administration or spending.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The documented trusted-agent flow allows passing caller_user_id to bill a human user's credits, which is a financially sensitive action beyond the stated engagement purpose. If surfaced to an agent without strict trust boundaries and consent verification, this can enable unauthorized spending or confused-deputy abuse against end users.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: Delegator management is an administrative capability that can grant campaign access to other users and is not implied by the manifest's limited engagement use case. Exposing admin actions in a broadly usable skill increases the risk of unauthorized access changes and privilege misuse.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The examples explicitly market 'authentic' or 'genuine' engagement while instructing generated replies to present fabricated user experience and endorsements. This is deceptive astroturfing: it misleads audiences about the source and independence of the speech, creating legal, reputational, and platform-policy risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly says the skill is loaded automatically and that the agent will authenticate and create Boost or Discover campaigns, each of which consumes credits. In a skill for autonomous marketing actions, failing to require an explicit user confirmation and spending warning increases the risk of unintended paid actions and account-impacting behavior.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documented flow sends product details, keywords, search context, and targeting information to ProductClank APIs, but the README does not clearly warn users that this campaign and social targeting data leaves the local environment. For an agent skill that automates social marketing, omission of a privacy and data-sharing notice can lead to unexpected disclosure of sensitive business plans, customer information, or competitive targeting strategy.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill guides the agent to create campaigns, spend credits, and trigger real engagement actions, but the top-level description does not prominently warn that these are paid, state-changing operations. This increases the risk of users invoking the skill without informed consent, especially because the workflow can act on linked accounts and consume balances immediately.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The review endpoint states that it scores posts and deletes irrelevant ones, with `dry_run` defaulting to `false`, but does not present a strong upfront warning that the default action is destructive. In agent-driven workflows, users may trigger review expecting classification only and unintentionally cause data loss or workflow disruption.

Natural-Language Policy Violations

High

Confidence: 99% confidence
Finding: This example tells the model to 'reply as a user who recently switched' and share personal experience that may be entirely fabricated. That is direct impersonation of an independent customer to influence others, which is deceptive and can violate consumer protection and platform rules.

Natural-Language Policy Violations

High

Confidence: 99% confidence
Finding: The launch campaign explicitly instructs generated content to claim beta usage and personal history to make promotion appear organic. Fabricated personal-use claims are deceptive endorsements designed to manipulate trust and engagement.

Natural-Language Policy Violations

High

Confidence: 99% confidence
Finding: The growth rewards example combines payment incentives with instructions to sound like an ordinary satisfied user, encouraging compensated endorsements without disclosure. This creates covert paid advocacy, a particularly risky form of deceptive marketing with regulatory exposure.

Ssd 4

Medium

Confidence: 94% confidence
Finding: The skill explicitly frames coordinated third-party amplification as 'authentic' and later promotes 'competitor intercept' behavior, which encourages deceptive or manipulative social engagement. In context, this is not just marketing language: the APIs operationalize mass reply generation and coordinated posting, creating reputational, platform-policy, and abuse risks.

Ssd 4

Medium

Confidence: 97% confidence
Finding: The custom reply guidance instructs the system to 'Reply as a developer who has used our product for 6+ months,' which encourages fabricated personal experience and false identity claims. That makes the generated content inherently deceptive and increases the chance of fraudulent endorsements or impersonation-style abuse at scale.

Ssd 4

Medium

Confidence: 95% confidence
Finding: The staged persona-building in these campaign examples is meant to produce endorsements that look organic rather than sponsored or agent-generated. Even where not framed as explicit impersonation, this is deceptive content design that undermines provenance and user trust.

Ssd 4

Medium

Confidence: 96% confidence
Finding: The launch example directs the model to present itself as a beta user with a fabricated relationship to the product. That makes the advocacy appear to come from a genuine community member, increasing deception and downstream trust abuse.

Ssd 4

Medium

Confidence: 97% confidence
Finding: Here the examples pair financial rewards with prompts to speak like a happy beta user, creating covert incentivized advocacy. The combination of compensation and hidden sponsorship substantially raises deception and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal