Proposal Engine

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only proposal-writing skill with no evidence of hidden access, code execution, persistence, or data exfiltration.

Safe to install as a proposal helper. Before sending generated work to clients, review ROI numbers, pricing, payment terms, deadlines, proof claims, and persuasion-oriented wording for accuracy, fairness, and fit with your business practices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The advertised trigger phrases are very generic, such as 'Create a proposal for [client]' and 'Review my proposal', which can overlap with ordinary user requests in unrelated contexts. In agent environments that auto-route based on natural-language matching, this can cause the skill to activate unintentionally, leading to inappropriate handling of user data or unexpected proposal-generation behavior.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The quick-start invocation phrase "Create a proposal for [client]" is very broad and resembles ordinary user requests a general assistant might receive. If this skill is auto-routed on shallow keyword matching, it could trigger unintentionally for unrelated proposal-writing requests and steer the assistant into this skill’s fixed workflow without clear user intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal