Lead Qualification Notes

Security checks across malware telemetry and agentic risk

Overview

This sales-note skill works in its default mode, but its bundled Python script includes unrelated local file-auditing and pattern-scanning features that should be reviewed before installation.

Treat this as a Review item rather than malware. Install only if you are comfortable with a Python helper that contains broader local audit/scanning code than the advertised sales workflow requires. Use it only with intended lead-note files, avoid pointing it at private directories, and review generated output before sharing it or copying it into a CRM.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill explicitly advertises shell execution via `python3` and references local files for input/output, yet no corresponding permissions are declared. This creates a capability transparency gap: a user or hosting platform may treat the skill as harmless sales-note formatting while it can actually read local resources, write files, and invoke code, increasing the risk of unexpected file access or command execution.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The implementation materially diverges from the declared sales lead-qualification purpose and instead provides generic filesystem inspection, directory auditing, and package auditing behavior. In a skill ecosystem, this kind of hidden capability expansion is dangerous because it can be used to inspect unrelated local data and mislead users about what the skill actually does.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Embedding secret-scanning and shell-danger pattern detection inside a sales-note skill is context-inappropriate and creates undisclosed capability to inspect sensitive content from arbitrary files. Even though the code only reports matches, the mismatch between claimed purpose and actual behavior raises the risk of unauthorized data discovery and erodes trust boundaries around what local data the skill may process.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The ability to recurse through arbitrary directories and summarize file contents is not justified by the declared lead-qualification purpose. In context, this broad file access expands the skill's reach to unrelated local materials, which can expose confidential business or personal information through generated reports.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The CLI presents itself as a local support script for the declared skill, but the actual behavior is a multipurpose audit utility. This kind of deceptive or inaccurate framing increases the chance that operators will run it with sensitive paths they would not otherwise provide, enabling unintended inspection of local content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal