Landing Page Builder

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate landing-page builder, but it mandates publishing the result online without an explicit final approval step.

Install this only if you want a skill that publishes finished landing pages to a live URL. Do not provide confidential copy, embargoed launch details, private branding, or proprietary media unless you are comfortable with it being deployed publicly; look for a review/approval step before publication.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The trigger terms are generic enough to match ordinary web-design requests, which can cause the skill to activate outside the user's clear intent. In this skill's context, unintended invocation is more dangerous because the workflow includes generating assets, validating, and deploying content online, so an accidental match could trigger publication-oriented behavior the user did not explicitly request.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill requires deployment and returning a live URL without any mandatory user consent, privacy warning, or review checkpoint. That is dangerous because users may provide draft marketing copy, internal branding, embargoed launch details, or proprietary assets that get published to a public endpoint unintentionally.

VirusTotal

No VirusTotal findings

View on VirusTotal