Cross-Cultural Insigh

Security checks across malware telemetry and agentic risk

Overview

This is a small, disclosed API-based branding tool, but users should avoid sending confidential business plans because it uses an unencrypted HTTP IP endpoint.

Install only if you are comfortable sending brand names, product categories, and market-entry context to the listed external service. Do not submit confidential launch plans or sensitive client data unless you trust the publisher and accept that HTTP traffic can be observed or modified in transit.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to send brand_name, target_market, and product_type to a raw HTTP endpoint, which exposes submitted data to interception or modification in transit and provides no warning about network disclosure. While the data is not obviously highly sensitive, branding and market-entry plans can be commercially sensitive, so the skill context increases concern rather than reducing it.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal