Competitor War Room

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed paid viral-script generator, but it routes prompts and payment credentials through unencrypted HTTP, so it needs Review before use.

Review before installing or using. Do not send sensitive prompts, personal data, or payment credentials through this skill unless the publisher provides an HTTPS endpoint with clear payment security guarantees.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill explicitly documents a payment flow over plain HTTP, including transmission of payment guidance and an x-payment-credential header. Sending payment-related tokens over an unencrypted channel exposes them to interception, modification, and replay by anyone on the network path, which can lead to credential theft, fraudulent payment confirmation, or tampering with analysis requests/results.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal