Crm Next Action

Security checks across malware telemetry and agentic risk

Overview

This is a local CRM drafting helper that does not show networking, credential use, CRM writeback, or persistence, though its script contains unused audit code that should be cleaned up.

Install this only if you want a local helper to turn CRM opportunity or customer-list notes into reviewable next-action drafts. Point it only at files you intend the agent to read, avoid sensitive broad directories, and redact customer data when your local agent environment is not approved for it. The publisher should remove the unused audit branches or document them separately.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill declares no permissions, yet its instructions explicitly allow shell execution via python3 and imply reading local resources and writing output files. This creates a capability/permission mismatch that can mislead reviewers and routing systems, increasing the chance the skill is invoked in contexts that do not expect code execution or filesystem access.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The dispatcher implements multiple generic audit modes (directory, CSV, pattern, and skill-package analysis) instead of a narrowly scoped CRM next-action workflow. In the context of a CRM skill, this represents capability mismatch and covert functionality: a user invoking the skill could be induced to analyze arbitrary local files and directories unrelated to sales operations, expanding data access far beyond the declared purpose.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code performs arbitrary text-file enumeration and regex-based scanning for secrets, private URLs, and dangerous shell patterns, which is unrelated to generating CRM follow-up recommendations. In a CRM skill, these capabilities can be repurposed to inspect repositories or local workspaces for sensitive material, creating an unjustified data-discovery surface under misleading branding.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill-package auditing and frontmatter inspection functions are unrelated to CRM next-action generation and indicate hidden secondary behavior. While this code is primarily read-only, it can still be used to enumerate package structure and metadata from arbitrary directories, which violates least privilege and undermines trust in the skill's stated purpose.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The CLI presents itself as a support script for the CRM skill, but the exposed arguments and execution flow enable generic local analysis of arbitrary files and directories. This deceptive framing increases the chance that users will run the tool in sensitive environments without realizing it can inspect unrelated data, making the context more dangerous than a plainly labeled audit utility.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal