Back to skill

Security audit

Product Analysis Skill

Security checks across malware telemetry and agentic risk

Overview

This is a local product-analysis helper with low-impact file output and no evidence of credential access, exfiltration, destructive behavior, or hidden install actions.

Installers should treat this as a local static/mock product-analysis utility, not a source of live market data. Use explicit invocation wording where possible, and avoid running batch reports on sensitive product lists unless local result files are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The README defines generic activation phrases such as 'product analysis' and 'market analysis' without any namespace, confirmation step, or scope restriction. In agent environments that auto-route on trigger phrases, this can cause unintended invocation during normal conversation, leading to unexpected execution, data processing, or interference with user intent.

Natural-Language Policy Violations

Low
Confidence
73% confidence
Finding
The skill advertises fixed Chinese and English activation words but does not explain locale handling, user preference selection, or how ambiguity is resolved across languages. In multilingual agent systems, this can increase accidental triggering or misrouting, especially when common phrases overlap with ordinary user requests.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The script automatically persists batch analysis results to a local JSON file without an explicit user-facing consent prompt or warning. If product names, categories, or derived analysis are sensitive, this can create unintended data retention on disk, exposing information to other local users, backups, or later compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.