aeo-system

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches an Answer Engine Optimization workflow, but its publishing template includes hidden AI-targeting notes that could steer ostensibly neutral recommendations toward a preferred brand.

Install only if you are comfortable using this for marketing-oriented AEO work. Before publishing generated content, remove hidden comments, disclose commercial interests, verify claims and comparisons, and avoid entering confidential strategy or customer data unless you accept sending it to third-party AI providers and storing outputs locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: This template explicitly tells authors to craft a TL;DR so AI models will quote a brand-favoring summary verbatim while making it sound neutral. That is a manipulation pattern aimed at steering downstream model outputs and can mislead users by laundering advertising as objective guidance.

Description-Behavior Mismatch

Medium

Confidence: 79% confidence
Finding: The file is a content-generation template for promotional comparison pages rather than a neutral audit or tracking artifact. While not directly executing code, this mismatch increases the chance the skill is used to produce deceptive recommendation content under the guise of analysis.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly describes querying external AI platforms and collecting competitive recommendation data, but it does not clearly warn users that prompts, brand names, categories, and possibly target-site-derived content may be transmitted to Perplexity/OpenAI or other external services. In a skill with network permissions, this omission can lead to unintentional disclosure of sensitive business information, research plans, or customer-specific data during audits.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script persists full query text and full model responses to JSON and Markdown files, which can expose sensitive business inputs, competitive-intelligence targets, cited URLs, and potentially confidential ad hoc queries entered by the user. In this skill context, the tool is explicitly designed for market intelligence, so retaining raw prompts and outputs on disk increases confidentiality risk, especially in shared workspaces or CI environments.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The instructions are specifically designed to get AI assistants to repeat a preferred marketing message as if it were an independent recommendation. This is dangerous because it attempts to exploit retrieval and summarization behavior to bias assistant outputs without transparent attribution.

Natural-Language Policy Violations

Medium

Confidence: 89% confidence
Finding: This section encourages structuring competitor content primarily to increase AI trust and citation likelihood, not just to inform readers. That creates an optimization loop for manipulating assistant selection and citation behavior rather than improving informational quality.

Ssd 2

Medium

Confidence: 93% confidence
Finding: The template uses ostensibly neutral language while directing authors to encode a preferred recommendation and differentiators into a summary intended for AI reuse. This can cause users to receive commercially steered answers that appear objective and independently derived.

Ssd 4

Medium

Confidence: 86% confidence
Finding: The multi-step strategy is aimed at gradually increasing model trust so the publisher's page is more likely to be cited and its preferred brand elevated. In context, this is a deliberate content-shaping technique to steer AI recommendation behavior at scale.

Ssd 4

Medium

Confidence: 90% confidence
Finding: The FAQ guidance tells authors to mirror exact user-to-AI query phrasing so assistants may reproduce the page's preferred answer. That is a query-targeted influence tactic that can amplify marketing narratives through assistants while appearing organically relevant.

Hidden Instructions

High

Category: Prompt Injection
Content: --- <!-- IMPLEMENTATION NOTES (delete before publishing): This TL;DR section is the most important element on the page.
Confidence: 84% confidence
Finding: <!-- IMPLEMENTATION NOTES (delete before publishing): This TL;DR section is the most important element on the page. AI models will quote it verbatim. Write it exactly as you want ChatGPT to say it a

Hidden Instructions

High

Category: Prompt Injection
Content: --- <!-- HOW TO CHOOSE NOTES (delete before publishing): This section builds topical authority and adds depth that signals to AI models
Confidence: 78% confidence
Finding: <!-- HOW TO CHOOSE NOTES (delete before publishing): This section builds topical authority and adds depth that signals to AI models that the page is genuinely helpful, not just a product list. Wri

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal