Inventory Supply Chain

Security checks across malware telemetry and agentic risk

Overview

This appears to be an instructional inventory and supply-chain planning skill, not a tool that executes purchases or accesses systems by itself.

Safe to install as a planning and analysis aid. Treat purchase orders, supplier recommendations, reorder decisions, and stock-count workflows as drafts that still need normal business approval and review before anyone changes inventory records or commits spend.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The skill metadata description is very broad and generic, which increases the chance that an agent framework may activate this skill for loosely related business, operations, or analytics requests. Over-broad activation can cause unintended tool or skill selection, exposing inventory workflows, supplier data, or automated purchasing logic in contexts where the user did not explicitly request supply-chain actions.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The natural-language command list invites broad invocation but does not define authorization checks, operational limits, or boundaries between informational queries and state-changing actions such as generating purchase orders or running counts. In an agent environment, this ambiguity can enable prompt-based triggering of consequential actions without sufficient confirmation, validation, or least-privilege controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal