Security audit

Brand Prospect Researcher

Security checks across malware telemetry and agentic risk

Overview

This is a public-web research skill for finding influencer-marketing brand prospects, with a minor over-broad trigger concern but no hidden code or unsafe authority.

Install this only if you want an agent to research public influencer-marketing prospects and collect public contact leads. Review results before outreach, verify any contact details, and be mindful of LinkedIn/Instagram terms and privacy obligations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list includes broad phrases such as 'prospect list,' 'brand prospects,' and 'campaign activity,' which can match many generic research or sales requests outside the skill's narrow purpose. Over-broad activation can cause the wrong skill to run, leading to unintended web searches, collection of contact data, and irrelevant or privacy-sensitive prospecting output in contexts where the user did not ask for influencer-marketing lead generation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal