Security audit

Qsr Food Cost Diagnostic

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, with the main caution being that it may retain restaurant diagnostic history containing sensitive business details.

Before installing, decide whether you are comfortable with prior diagnostic runs being reused. Avoid sharing confidential sales, payroll, vendor, customer, or margin details unless needed, and ask the agent to analyze without saving or to clear prior notes when appropriate.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs persistent storage of historical diagnostic runs, including dates, business performance metrics, root causes, and follow-up actions, but does not warn the user that this data will be retained over time. For restaurant operators, these records can reveal sensitive operational and financial patterns, so silent retention creates privacy and confidentiality risk if the data is later exposed, reused unexpectedly, or kept longer than the user intends.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.