AI Market Intelligence Agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a benign placeholder market-report generator, with some documentation gaps around secrets, sharing, and installation.

Treat this as a local placeholder report generator, not a complete market-intelligence system. Do not fetch or run a separate setup.sh unless you review it, keep real API keys out of committed config files, and only enable email/channel/agent integrations after checking exactly what report data will be sent and to whom.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README shows API keys being placed directly into a config.json file without any guidance on secret handling, which can lead users to store credentials in plaintext and accidentally commit them to source control. If exposed, those credentials could allow unauthorized API usage, data access, billing abuse, or service compromise depending on the connected provider.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill explicitly states that generated reports can be sent to channels or email, but provides no warning, consent model, or privacy guidance about sharing potentially sensitive collected data. In a market-intelligence context, reports may include proprietary monitoring targets, internal analysis, or third-party content, so undocumented outbound sharing increases the risk of unintended disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal